Improper Control of Dynamically-Managed Code Resources in vm2 - #VU131736
Published: May 18, 2026
Vulnerability identifier: #VU131736
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-913
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Patrik Simek
Affected software:
vm2
vm2
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the host system.
The vulnerability exists due to improper control of dynamically-managed code resources in the NodeVM sandbox implementation in nodevm.js when creating a sandbox with nesting enabled and the require option omitted. A remote attacker can run code inside a crafted NodeVM configuration to execute arbitrary code on the host system.
The issue occurs because a strict equality check skips the unsafe combination when require is undefined, after which the default assignment sets it to false. The inner VM is not constrained by the outer sandbox configuration.
Remediation
Install security update from vendor's website.