{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-47137/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-13T03:55:56.787Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-47137","@id":"https://www.cve.org/CVERecord?id=CVE-2026-47137","description":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Im"},"products":[{"@id":"cpe:2.3:a:patriksimek:vm2:\\<_3.11.4:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:patriksimek:vm2:\\<_3.11.4:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-13T03:55:56.787Z"}]}