Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-47137

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.

Ver en NVD

Análisis

Esta vulnerabilidad crítica en la biblioteca vm2 para Node.js permite a un atacante evadir por completo el sandbox y ejecutar código arbitrario en el servidor host. El fallo se debe a una validación lógica incorrecta que permite omitir las protecciones de seguridad al no especificar la opción require en la configuración, resultando en un escape total del entorno aislado. Es fundamental actualizar a la versión 3.11.4 para mitigar este riesgo de ejecución remota de comandos.

Roles relevantes

JavascriptTypescriptBackendCyberSecurity

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-913

EPSS

Probabilidad de explotación (próx. 30 días): 0.0022 (0.2%)
Percentil: 45.3%
EPSS: 2026-06-12

Descripción técnica

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.

Publicada: 12/6/2026, 15:16:28
Última modificación: 12/6/2026, 16:03:15

Referencias

InicioEventosBlogRecursosEquipo