9 matches found
CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...
CVE-2026-47137
Summary (CVE-2026-47137): The vm2 sandbox (NodeVM) had a bypass in versions prior to 3.11.4 where nesting: true with an unspecified require allowed full host RCE. The issue arose because a security check (options.nesting === true && options.require === false) only catches explicit require: false;...
GHSA-M4WX-M65X-GHRR vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
Summary The fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is trivially bypassed by omitting the require option entirely. When...
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
Summary The fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is trivially bypassed by omitting the require option entirely. When...
CVE-2026-44007
vm2 contains a vulnerability where creating a NodeVM with nesting: true allows sandbox code to bypass outer VM restrictions (e.g., require: false) and construct an inner NodeVM with unrestricted require settings to execute host commands. Affected: vm2 versions up to 3.11.0 (and prior to 3.11.1). ...
CVE-2026-44007 vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration β including require: false. With access to vm2, the sandbox constructs a new inner NodeVM wi...
CVE-2026-44007 vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration β including require: false. With access to vm2, the sandbox constructs a new inner NodeVM wi...
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration β including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...
GHSA-8HG8-63C5-GWMX vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration β including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...