Vulnerability in vm2 Sandbox for Node.js
CVE-2026-47137
10CRITICAL
What is CVE-2026-47137?
The vm2 module, a widely used sandbox library for Node.js, contains a vulnerability that allows a bypass of security checks safeguarding the 'require' option in nested configurations. Prior versions to 3.11.4 utilize strict equality checks that fail when the 'require' option is omitted, leading to potentially insecure configurations. This oversight permits attackers to execute code outside the sandbox. Users are advised to update to version 3.11.4 or later to mitigate this risk.
Affected Version(s)
vm2 < 3.11.4
