CVE-2026-47137

Published: Giu 12, 2026 Last Modified: Giu 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 10,0

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0005

Percentile

0,2th

Updated

EPSS Score Trend (Last 4 Days)

913

Improper Control of Dynamically-Managed Code Resources

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Execute Unauthorized Code Or Commands Varies By Context Alter Execution Logic

Applicable Platforms

Languages: Not Language-Specific, Interpreted

View CWE Details

https://github.com/advisories/GHSA-g644-9gfx-q4q4

https://github.com/patriksimek/vm2/commit/01a7552add345d5a6…

https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0…

https://github.com/patriksimek/vm2/commit/86ab819f202c3a8da…

https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c518…

https://github.com/patriksimek/vm2/releases/tag/v3.11.4

https://github.com/patriksimek/vm2/security/advisories/GHSA…

https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr

CVE-2026-47137

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 4 Days)

Improper Control of Dynamically-Managed Code Resources

Common Consequences

Applicable Platforms

Iscriviti alla newsletter