PatchSiren cyber security CVE debrief
CVE-2026-47137 patriksimek CVE debrief
CVE-2026-47137 is a critical vulnerability in vm2, an open-source vm/sandbox for Node.js. Prior to version 3.11.4, a fix introduced for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) was incomplete. The check in nodevm.js line 263 blocks the combination nesting: true + require: false using strict equality (options.require === false). However, this check can be bypassed by omitting the require option entirely, causing options.require to be undefined rather than false. This allows an attacker to bypass the security guard. Immediately after, line 280 assigns requireOpts = false via destructuring default, producing the exact configuration the patch aimed to prevent.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of vm2 sandbox for Node.js, especially those using versions prior to 3.11.4, should be aware of this critical vulnerability.
Technical summary
The vulnerability arises from a flawed security check in vm2's nodevm.js. Specifically, the check for require: false uses strict equality, which can be bypassed by not specifying the require option, making it undefined. This issue was patched in version 3.11.4.
Defensive priority
High
Recommended defensive actions
- Update vm2 to version 3.11.4 or later.
- Review and restrict the use of vm2 configurations that could be exploited.
Evidence notes
CVE-2026-47137 has a CVSS score of 10 and is considered CRITICAL. It was published on 2026-06-12T15:16:28.137Z and modified on 2026-06-12T16:03:15.620Z.
Official resources
CVE-2026-47137 was published on 2026-06-12T15:16:28.137Z and modified on 2026-06-12T16:03:15.620Z.