Vulnerability in vm2 Sandbox for Node.js
CVE-2026-47137

10CRITICAL

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47137?

The vm2 module, a widely used sandbox library for Node.js, contains a vulnerability that allows a bypass of security checks safeguarding the 'require' option in nested configurations. Prior versions to 3.11.4 utilize strict equality checks that fail when the 'require' option is omitted, leading to potentially insecure configurations. This oversight permits attackers to execute code outside the sandbox. Users are advised to update to version 3.11.4 or later to mitigate this risk.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.