CVE-2026-47137 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-47137/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 29 May 2026 17:52:09 +0000vm2 CVE-2023-37903 Patch Bypass: Remote Code Executionhttps://feed.craftedsignal.io/briefs/2026-05-vm2-rce-bypass/Fri, 29 May 2026 17:52:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-vm2-rce-bypass/The vm2 npm package has a remote code execution vulnerability due to a patch bypass for CVE-2023-37903; the vulnerability occurs because the check for `nesting: true` and `require: false` in `nodevm.js` uses strict equality, which can be bypassed by omitting the `require` option entirely, allowing an attacker to execute arbitrary OS commands.The vm2 npm package, a sandboxing solution for Node.js, is vulnerable to a remote code execution (RCE) bypass of the CVE-2023-37903 patch. This bypass occurs because the check implemented to prevent the combination of nesting: true and require: false uses strict equality (===). By simply omitting the require option when instantiating a NodeVM, the check is bypassed, as options.require becomes undefined, not false. This oversight allows an attacker to bypass the intended security restrictions and execute arbitrary code on the host system. This vulnerability affects vm2 versions 3.11.3 and earlier and poses a significant risk to applications relying on vm2 for sandboxing untrusted code.

Attack Chain

  1. An attacker injects malicious JavaScript code into a NodeVM instance configured with nesting: true but without explicitly setting the require option.
  2. The initial security check in nodevm.js at line 263 fails because options.require is undefined instead of false, thus bypassing the intended restriction.
  3. The code inside the NodeVM then uses require('vm2') to gain access to the vm2 library itself.
  4. The injected code constructs a new, nested NodeVM instance, this time explicitly enabling the child_process module via require: { builtin: ['child_process'] }.
  5. The nested NodeVM instance is then used to execute arbitrary operating system commands using child_process.execSync().
  6. The output of the command is converted to a string.
  7. The string is returned as the result of the initial nvm.run() call, demonstrating successful command execution on the host.
  8. The attacker achieves full remote code execution on the host system.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host system. In a multi-tenant environment or any situation where vm2 is used to sandbox untrusted code, this can lead to complete system compromise. The attacker can gain access to sensitive data, install malware, or pivot to other systems on the network. The observed damage is full RCE.

Recommendation

  • Upgrade to a patched version of vm2 that addresses this vulnerability.
  • Apply the suggested fix to nodevm.js locally if an immediate upgrade is not possible: Change the check to if (options.nesting === true && !options.require) as documented in the advisory.
  • Deploy the Sigma rules provided to detect attempts to exploit this vulnerability, focusing on process_creation events originating from within vm2 sandboxes.
  • Monitor for unusual require() calls within vm2 sandboxes, especially those attempting to load the child_process module.
]]>criticaladvisoryvm2rcesandbox-escapeCVE-2026-47137