Lucene search
K

4 matches found

Cvelist
Cvelist
β€’added 2026/06/12 2:15 p.m.β€’27 views

CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

10CVSS0.00382EPSS
Exploits0References5
CVE
CVE
β€’added 2026/06/12 2:15 p.m.β€’23 views

CVE-2026-47137

Summary (CVE-2026-47137): The vm2 sandbox (NodeVM) had a bypass in versions prior to 3.11.4 where nesting: true with an unspecified require allowed full host RCE. The issue arose because a security check (options.nesting === true && options.require === false) only catches explicit require: false;...

10CVSS5.1AI score0.00382EPSS
Exploits0References5
OSV
OSV
β€’added 2026/05/29 5:50 p.m.β€’29 views

GHSA-M4WX-M65X-GHRR vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE

Summary The fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is trivially bypassed by omitting the require option entirely. When...

10CVSS6.1AI score0.00382EPSS
Exploits0References6
Vulnrichment
Vulnrichment
β€’added 2026/05/13 5:33 p.m.β€’9 views

CVE-2026-44007 vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration β€” including require: false. With access to vm2, the sandbox constructs a new inner NodeVM wi...

9.1CVSS6.2AI score0.009EPSS
Exploits1References1
Rows per page
Query Builder