# [CRIT] [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE **Source:** GitHub Security Advisories **Published:** 2026-05-29 **Article:** https://github.com/advisories/GHSA-m4wx-m65x-ghrr ## Threat Profile vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE ## Summary The fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in `nodevm.js` line 263 that blocks the combination `nesting: true` + `require: false`. However, the check uses strict equality (`options.require === false`), which is trivially bypassed by omitting the `require` option entirely. When `require` is not specified, `options.require` is `undefined`, not `false`. The stric… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47137` - **CVE:** `CVE-2023-37903` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.003** — Command and Scripting Interpreter: Windows Command Shell - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1611** — Escape to Host - **T1059.007** — Command and Scripting Interpreter: JavaScript ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Node.js process spawning OS shell with enumeration commands — vm2 sandbox escape (CVE-2026-47137) `UC_175_2` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdlines from datamodel=Endpoint.Processes where (Processes.parent_process_name="node.exe" OR Processes.parent_process_name="node") AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","sh","bash","dash","ash","zsh","wmic.exe")) AND (Processes.process="*whoami*" OR Processes.process="* id*" OR Processes.process="*uname*" OR Processes.process="*hostname*" OR Processes.process="*ipconfig*" OR Processes.process="*ifconfig*" OR Processes.process="*/etc/passwd*" OR Processes.process="*child_process*" OR Processes.process="*execSync*" OR Processes.process="*net user*" OR Processes.process="*cat /etc*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node.exe", "node") | where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "sh", "bash", "dash", "ash", "zsh", "wmic.exe") | where ProcessCommandLine has_any ("whoami", " id ", " id;", "uname", "hostname", "ipconfig", "ifconfig", "/etc/passwd", "/etc/shadow", "child_process", "execSync", "net user", "cat /etc", "systeminfo") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Vulnerable vm2 package (<=3.11.3) present on host — CVE-2026-47137 exposure surface `UC_175_3` · phase: **weapon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as paths from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\node_modules\\vm2\\package.json" OR Filesystem.file_path="*/node_modules/vm2/package.json" OR Filesystem.file_path="*\\node_modules\\vm2\\lib\\nodevm.js" OR Filesystem.file_path="*/node_modules/vm2/lib/nodevm.js" by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(90d) | where FolderPath has_any (@"\node_modules\vm2\", "/node_modules/vm2/") | where FileName in~ ("package.json", "nodevm.js", "main.js", "index.js") | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Paths = make_set(FolderPath, 20), Files = make_set(FileName, 10), Writers = make_set(InitiatingProcessFileName, 10) by DeviceName | extend NodeAppHost = iff(array_length(Paths) > 0, true, false) | order by LastSeen desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting `UC_175_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("nodevm.js","exploit.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("nodevm.js","exploit.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("nodevm.js", "exploit.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("nodevm.js", "exploit.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47137`, `CVE-2023-37903` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 6 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.