216.73.216.233

CVE-2026-47137

· Published 12/06/2026 17:16 · Modified 12/06/2026 16:03 · Author: The MITRE Corporation

Labels: CVE-2026-47137 2026-06-12CVE-2026-47137CWE-913[email protected]

Essential information

Published
12/06/2026 17:16
Modified
12/06/2026 16:03
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
10.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-913
EPSS (First)
P45.3% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00223)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vm2 / vm2 cpe:2.3:a:vm2:vm2:3.11.4:*:*:*:*:*:*:*

References