CVE-2026-47137

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4

Description A security check in nodevm.js designed to block the combination of nesting: true and require: false is bypassed because it uses strict equality (options.require === false). If the require option is omitted, options.require is undefined, causing the check to fail. Subsequently, a destructuring default assigns requireOpts = false, resulting in the restricted configuration. This allows an attacker running code inside a NodeVM({ nesting: true }) sandbox to achieve full Remote Code Execution (RCE) on the host system by requiring the vm2 library and constructing an inner NodeVM with access to child process.execSync to execute arbitrary OS commands.

Recommendations Update to version 3.11.4 or later.