Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.
Published: 2026-06-12
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vm2 sandbox for Node.js has a security bypass that allows an attacker to achieve remote code execution. A previous fix (GHSA‑8hg8‑63c5‑gwmx) introduced a guard that would block the combination of enabling nested sandboxes (`nesting: true`) and disabling the ability to require modules (`require: false`). The guard used strict equality, so omitting the `require` option caused its value to be undefined instead of false, and the check failed. The subsequent default assignment reinstated the prohibited configuration, permitting the exploit to proceed. This flaw originates from a coding oversight that was not present before the patch. Affected Systems The issue affects the vm2 package maintained by patriksimek. All released versions prior to v3.11.4 are vulnerable because they use the flawed guard. Any application that imports or uses vm2 with `nesting: true` but does not explicitly set `require: false` can trigger the bypass and obtain unrestricted code execution within the host process. Risk and Exploitability The CVSS score of 10 indicates a critical vulnerability. The EPSS score is below 1 %, suggesting a low probability of widespread exploitation, but the vulnerability remains severe. It is not yet included in the CISA KEV catalog. Exploitation requires constructing a vm2 instance with `nesting: true` and no explicit `require` setting, which may be feasible in environments that expose the vm2 configuration to untrusted or external code.

Affected Systems

The vm2 package developed by patriksimek, versions earlier than 3.11.4.

Risk and Exploitability

The high CVSS score demonstrates the configuration can lead to full control over the host. The low EPSS score indicates the likelihood of active exploitation is small at present, but the flaw could be employed in targeted attacks or supply‑chain compromise. The vulnerability is not listed in the CISA KEV catalog yet, but its impact and existence warrant immediate action, especially in systems that rely on vm2 to isolate untrusted JavaScript.

Generated by OpenCVE AI on June 18, 2026 at 01:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to vm2 v3.11.4 or higher where the guard is corrected.
  • If upgrading is not yet possible, explicitly set `require: false` whenever `nesting: true` is enabled to eliminate the bypass path.
  • Audit all instances of vm2 in your codebase to ensure that nested sandboxes are either disabled or configured with explicit `require: false`, and consider disabling nesting entirely if it is not required for functionality.

Generated by OpenCVE AI on June 18, 2026 at 01:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m4wx-m65x-ghrr vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
History

Tue, 16 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-480
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.
Title vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE
Weaknesses CWE-913
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T03:55:56.787Z

Reserved: 2026-05-18T19:50:18.696Z

Link: CVE-2026-47137

cve-icon Vulnrichment

Updated: 2026-06-12T14:59:15.587Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:28.137

Modified: 2026-06-12T16:03:15.620

Link: CVE-2026-47137

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T14:15:34Z

Links: CVE-2026-47137 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses
  • CWE-480

    Use of Incorrect Operator

  • CWE-913

    Improper Control of Dynamically-Managed Code Resources