Broken Object Level Authorization

Broken Object Level Authorization - Node.js (Express) fix [CVE-2026-43999]

[Updated May 2026] Updated CVE-2026-43999

Overview

vm2 is a sandboxing library for Node.js that is used to run untrusted code safely. CVE-2026-43999 describes a vulnerability in vm2 prior to version 3.11.0 where NodeVM's builtin allowlist could be bypassed when the module builtin was allowed (including via a wildcard). The Module._load path is exposed in the host context, which means sandboxed code could load host modules such as child_process and execute commands or spawn processes. This undermines the isolation that the sandbox is supposed to provide and, in the worst case, can lead to remote code execution (RCE) within an Express application. The weakness is tracked as CWE-863: Incorrect Authorization, and it effectively creates a Broken Object Level Authorization scenario where the sandboxed object (the code) gains access to privileged host resources. The real-world impact is substantial because an attacker could exfiltrate data, pivot to other services, or take full control of the host process if untrusted code can load and execute privileged modules.

Affected Versions

vm2 < 3.11.0

Code Fix Example

Node.js (Express) API Security Remediation 
/* Vulnerable pattern (pre-fix) and the secure fix (post-fix) side-by-side for a Node.js/Express app using vm2 */

const express = require('express');
const { NodeVM } = require('vm2');
const app = express();
app.use(express.json());

// Vulnerable pattern: accepts untrusted code and allows broad host access via wildcard builtin modules
app.post('/run-vuln', (req, res) => {
  const code = req.body.code || '';
  const vm = new NodeVM({
    sandbox: {},
    console: 'inherit',
    require: {
      external: true,
      builtin: ['*'] // vulnerable: wildcard allowlist can bypass sandbox restrictions
    }
  });
  try {
    const result = vm.run(code);
    res.json({ result: String(result) });
  } catch (err) {
    res.status(500).json({ error: err.message });
  }
});

// Fixed pattern: restrict host access by disabling external requires and disallowing builtins
app.post('/run-fixed', (req, res) => {
  const code = req.body.code || '';
  const vm = new NodeVM({
    sandbox: {},
    console: 'inherit',
    require: {
      external: false,    // don't allow requiring external packages
      builtin: []          // no builtins allowed from host; block Module._load usage
    }
  });
  try {
    const result = vm.run(code);
    res.json({ result: String(result) });
  } catch (err) {
    res.status(500).json({ error: err.message });
  }
});

app.listen(3000, () => console.log('VM2 demo listening on port 3000'));

CVE References

More Node.js (Express) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.