CVE-2026-47137

CVE Database · CVE-2026-47137

CVE-2026-47137

· CRITICALDeferred

CVSS v3.1

10.0

EPSS

0.70%

Published

Jun 12, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-913

References (5)

https://github.com/advisories/GHSA-g644-9gfx-q4q4

https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568

https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7

https://github.com/patriksimek/vm2/releases/tag/v3.11.4

https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr

KEV Catalog EPSS Scores Vendors All CVEs