Improper Control of Dynamically-Managed Code Resources Affecting vm2 package, versions <3.11.4
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-VM2-17111317
- published31 May 2026
- disclosed29 May 2026
- creditUnknown
Introduced: 29 May 2026
NewCVE-2026-47137 (opens in a new tab)How to fix?
Upgrade vm2 to version 3.11.4 or higher.
Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the NodeVM constructor in lib/nodevm.js. An attacker can obtain host code execution by creating a nested VM with nesting: true and an omitted or falsy require value, then using the injected vm2 builtin to spawn an inner NodeVM with attacker-chosen require settings and reach child_process. The vulnerable configuration produces a NESTING_OVERRIDE-only resolver whose sole builtin is vm2, so sandboxed code can load vm2 even when the outer VM was intended to deny requires. This breaks the user's expectation that a nested sandbox remains constrained and can lead to full compromise of the host process.