cbcvebase.
CVE-2026-47137
published 2026-06-12

CVE-2026-47137: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line…

PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.38%
30.0th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.

Affected

3 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
rhdhrhdh-hub-rhel9
vm2_projectvm2>= 0 < 3.11.43.11.4

Detection & IOCsextracted from sources · hover to see the quote

  • The bypass is triggered by omitting the `require` option entirely (leaving it undefined) while setting `nesting: true`. The strict equality check `options.require === false` at nodevm.js line 263 is skipped when `require` is undefined, allowing the unsafe configuration to proceed.
  • Monitor for vm2 sandbox instantiation with `nesting: true` and no explicit `require` option set — this is the exact configuration that bypasses the CVE-2023-37903 patch and enables sandbox escape.
  • Audit Node.js applications for use of vm2 versions prior to 3.11.4, specifically looking for code paths where user-supplied JavaScript can reach the vm2 sandbox runtime.
  • The vulnerable file is `nodevm.js` at line 263 (security guard check) and line 280 (destructuring default assignment). Inspect this file in deployed vm2 installations to confirm patched vs. unpatched state.
  • ·The vulnerability only manifests when vm2 is used with `nesting: true` and the `require` option is omitted. Deployments that do not invoke the nested sandboxing functionality are not exploitable via this path.
  • ·Red Hat rates this as Moderate severity in Red Hat Developer Hub and Ansible Automation Platform because the affected vm2 package is only a transitive dependency and the vulnerable code path is not reachable in default configurations.
  • ·No mitigation short of patching to vm2 version 3.11.4 is available that meets Red Hat's criteria for ease of use, deployment applicability, and stability.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.