fix(GHSA-8hg8-63c5-gwmx): reject contradictory { nesting: true, require: false } at construction

patriksimek · claude · patriksimek · commit 46cbbdde4e19 · 2026-05-01T23:12:21.000+02:00
The pair { nesting: true, require: false } silently produced an unsandboxed NodeVM. nesting: true injects a NESTING_OVERRIDE builtin that exposes vm2 to the sandbox regardless of require: false. Sandbox code then constructs an inner NodeVM with attacker-chosen require config (which is unconstrained by the outer config — by design of nesting) and reaches child_process for full host RCE. Reporter framed this precisely: 'mental-model mismatch'. A developer who sets require: false to lock down modules then enables nesting: true for legitimate child-VM use believes the sandbox is restricted. It is not. Fix: NodeVM constructor throws VMError immediately when both options are set explicitly. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at construction with a clear, actionable error rather than silently producing an unsandboxed sandbox. Bare new NodeVM({ nesting: true }) (no require config) continues to work as the documented escape hatch — out of scope for this patch. The deeper issue (nesting: true is fundamentally an escape hatch and grants sandbox unrestricted host access via inner NodeVMs) is now documented prominently: - README new section '5. nesting: true is an escape hatch' under Hardening recommendations. Spells out the inner-VM independence and concludes 'do not enable nesting: true for untrusted code'. - JSDoc on the nesting option upgraded to match. - ATTACKS.md Category 25 documents the configuration trap and the matching row in the 'How The Bridge Defends' table. 6 tests in test/ghsa/GHSA-8hg8-63c5-gwmx/repro.js cover: rejection of the contradictory pair, blocking of the original PoC, regression guards for { nesting: true, require: { builtin: [] } }, bare nesting: true, require: false alone, and default config. What this fix does NOT close: nesting: true with any non-false require config remains an escape hatch. Constraint propagation from outer to inner NodeVM was considered and deferred — would change documented nesting semantics substantially, major-version-shaped change. Bump to 3.11.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,28 @@
 # Changelog
 
+## [3.11.1]
+
+Single advisory closed plus prominent documentation of an existing escape hatch. Patch release — no API changes for valid configurations.
+
+### Security fix
+
+- **GHSA-8hg8-63c5-gwmx** — `nesting: true` bypassed `require: false`, allowing sandbox-to-host RCE via inner NodeVM construction. The contradictory option pair `{ nesting: true, require: false }` now throws `VMError` at `new NodeVM(...)` time citing the advisory. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at the API surface, not silently produce an unsandboxed sandbox. ATTACKS.md Category 25.
+
+### Documentation
+
+- New README section **"`nesting: true` is an escape hatch"** under Hardening recommendations. Explains that `nesting: true` lets sandbox code `require('vm2')` and construct nested NodeVMs whose `require` config is chosen by the sandbox (not constrained by the outer config — by design of nesting). **Do not enable `nesting: true` for untrusted code.**
+- JSDoc on the `nesting` option (`lib/nodevm.js`) upgraded to spell out the escape-hatch semantics and the GHSA-8hg8 contradictory-pair rejection.
+- ATTACKS.md gains Category 25 documenting the configuration trap and a matching row in the "How The Bridge Defends" table.
+
+### Upgrade notes
+
+- **If you set `{ nesting: true, require: false }`** anywhere in your codebase, `new NodeVM(...)` now throws. Either drop `nesting: true` (if you wanted deny-all), or replace `require: false` with an explicit `require` config (e.g. `require: { builtin: [] }`) to acknowledge that vm2 will be requireable. The error message is actionable and links to the README section.
+- **No other configurations are affected.** Bare `new NodeVM({ nesting: true })` continues to work as documented; this is the documented escape hatch and is not closed by this patch (out of scope — would change `nesting: true` semantics substantially).
+
+### What this fix does NOT close
+
+`nesting: true` itself remains an escape hatch for any non-trivial `require` config. The fix closes the **specific contradictory pair** flagged by the advisory; the broader recommendation is in the new README section: do not enable `nesting: true` when running untrusted code. Constraint propagation from outer to inner NodeVM (where the outer's `require` config would constrain inner construction) was considered and deferred — it would change the documented semantics of `nesting: true` and is a major-version-shaped change.
+
 ## [3.11.0]
 
 Coordinated security release closing 13 advisories, plus a new `bufferAllocLimit` option and a `realpath()` method on the FileSystem adapter contract. Minor version bump because of the new public option and the FileSystem contract addition; no incompatible changes to the existing public API surface. Embedders running untrusted code in memory-constrained environments should review the new `bufferAllocLimit` option and the README's [Hardening recommendations](README.md#hardening-recommendations) section.
diff --git a/README.md b/README.md
@@ -502,6 +502,24 @@ Even with `bufferAllocLimit` set, run the host process with `--max-old-space-siz
 
 The `'*'` wildcard expands to most Node built-ins, including `child_process`, `fs`, `dgram`, `net`, `http`, and `dns`. These are full host-capability primitives — `require('child_process').execSync('id')` is reachable from the sandbox under `'*'`. vm2's `'*'` semantics are intentional (some embedders run trusted-but-isolated code), but it should not be used as a default for untrusted code. Prefer an explicit allowlist of the smallest set of modules your sandbox actually needs.
 
+### 5. `nesting: true` is an escape hatch
+
+`nesting: true` lets sandbox code `require('vm2')` and construct nested NodeVMs. **The nested VM's `require` config is chosen by the sandbox code that constructs it, not constrained by the outer VM.** Concretely:
+
+```js
+const vm = new NodeVM({ nesting: true, require: { builtin: [] } });
+vm.run(`
+  const { NodeVM: NVM } = require('vm2');
+  // Inner VM's config is whatever the sandbox writes here:
+  const inner = new NVM({ require: { builtin: ['child_process'] } });
+  inner.run('require("child_process").execSync("id")');  // RCE
+`);
+```
+
+If you set `nesting: true`, you have effectively granted the sandbox the same trust level you have. **Do not enable `nesting: true` for untrusted code.** Use it only when you trust the sandboxed code itself but want VM-style execution semantics (fresh global, controlled timeouts) for non-security reasons.
+
+The combination `{ nesting: true, require: false }` throws `VMError` at construction (GHSA-8hg8-63c5-gwmx) because the pair is contradictory: `nesting: true` makes `vm2` requireable regardless of `require: false`, so the deny-all expectation cannot be honored. To deny all requires, remove `nesting: true`. To allow nested VMs, replace `require: false` with an explicit config so the tradeoff is visible.
+
 ## Known Issues
 
 -   It is not possible to define a class that extends a proxied class. This includes using a proxied class in `Object.create`.
diff --git a/docs/ATTACKS.md b/docs/ATTACKS.md
@@ -1798,6 +1798,78 @@ The race window between the canonicalization syscall and the subsequent loader s
 
 ---
 
+## Attack Category 25: NodeVM `nesting: true` + `require: false` Configuration Trap
+
+### Description
+
+`NodeVM`'s `nesting: true` option injects a `NESTING_OVERRIDE` builtin that exposes the `vm2` package to sandbox code regardless of any other `require` configuration. The override is unconditional — it survives `require: false`, narrow `builtin` allowlists, and every other restriction the user might set. With `vm2` reachable, the sandbox constructs an inner `NodeVM` whose `require` config is **chosen by the sandbox code, not constrained by the outer config** (this is by design of `nesting`). The inner NodeVM can be configured with `child_process`, `fs`, or any other host module → full host RCE.
+
+The **specific** trap GHSA-8hg8-63c5-gwmx flagged is the contradictory pair `{ nesting: true, require: false }`: a developer who sets `require: false` to lock down modules then enables `nesting: true` for legitimate child-VM use believes the sandbox is restricted. It is not. The deeper issue — `nesting: true` is fundamentally an escape hatch — is separately documented in the README.
+
+CWE-284 (Improper Access Control).
+
+### Attack Flow
+
+1. **Host configures contradictory pair**: `new NodeVM({ nesting: true, require: false })`.
+2. **Sandbox code requires `vm2`**: succeeds because `NESTING_OVERRIDE` injected `vm2` into the builtin map regardless of `require: false`.
+3. **Sandbox constructs inner NodeVM** with attacker-chosen `require` config: `new NVM({ require: { builtin: ['child_process'] } })`.
+4. **Inner sandbox loads `child_process`** and runs arbitrary commands as the host process user.
+
+### Canonical Example
+
+```javascript
+// (advisory GHSA-8hg8-63c5-gwmx)
+const vm = new NodeVM({ nesting: true, require: false });
+vm.run(`
+  const { NodeVM: NVM } = require('vm2');
+  const inner = new NVM({ require: { builtin: ['child_process'] } });
+  module.exports = inner.run(
+    'module.exports = require("child_process").execSync("id").toString()'
+  );
+`);
+// uid=1000(...) ...
+```
+
+### Why It Works
+
+The bug lives in `lib/resolver-compat.js` `makeResolverFromLegacyOptions`:
+
+```javascript
+function makeResolverFromLegacyOptions(options, override, compiler) {
+    if (!options) {
+        if (!override) return DENY_RESOLVER;     // require:false alone → deny all
+        // require:false + nesting:true → permissive resolver with vm2 loadable:
+        const builtins = makeBuiltinsFromLegacyOptions(undefined, defaultRequire, undefined, override);
+        return new Resolver(DEFAULT_FS, [], builtins);
+    }
+    ...
+}
+```
+
+`require: false` makes `requireOpts` falsy; `nesting: true` passes `NESTING_OVERRIDE` as `override`. The `(!options && override)` branch builds a resolver containing the override (which carries `vm2`) instead of returning `DENY_RESOLVER`. `lib/builtin.js`'s `makeBuiltinsFromLegacyOptions` merges `override` unconditionally, so `vm2` always lands in the resolver's builtin map.
+
+The reporter's framing — "mental-model mismatch" — is precise: there's no implementation bug in any individual line; the bug is the **interaction** between two options that look orthogonal but aren't.
+
+### Mitigation
+
+`NodeVM` constructor (`lib/nodevm.js`) throws `VMError` immediately when both `nesting: true` and `require: false` are set explicitly. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at construction with a clear, actionable error message citing the advisory and pointing to the README escape-hatch section. Enforces the principle that any configuration where vm2 cannot honor the developer's stated intent must fail loudly at the API surface, not produce a silently-permissive sandbox.
+
+The narrow fix closes the **specific** contradictory pair. The **broader** issue — `nesting: true` is documented as an escape hatch and grants sandbox code unrestricted host access via inner NodeVMs — is now documented prominently in README § "`nesting: true` is an escape hatch" and in the JSDoc on the `nesting` option. Embedders running untrusted code should not enable `nesting: true`.
+
+### Detection Rules
+
+- **`new NodeVM({ nesting: true, ... })`** with any `require` setting in code reviewing untrusted-code flows — flag as a likely escape path.
+- **`new NodeVM({ nesting: true, require: false })`** specifically — now throws at construction, but pre-3.11.1 codebases may have this pattern.
+- **Sandbox code containing `require('vm2')`** — only reachable when `nesting: true`; almost always indicates an escape attempt unless the embedder explicitly built a VM-spawning host integration.
+
+### Considered Attack Surfaces
+
+- **`{ nesting: true, require: { builtin: ['something'] } }`** (no `require: false`) — does NOT throw. The developer has explicitly opted into the escape hatch by configuring a non-`false` require. The README and JSDoc loudly state that `nesting: true` is unsafe for untrusted code; this is a documentation-level mitigation, not a code-level one. Constraint propagation from outer to inner NodeVM (where the outer's `require` config would constrain inner construction) is out of scope for the 3.11.1 patch — it would change the documented semantics of `nesting: true` substantially.
+- **Sandbox-side `require('vm2')` when `nesting: false`** — already throws `EDENIED` because the override is not installed. Unaffected.
+- **`mocks` / `overrides`** — bypass the resolver entirely; unaffected by this fix and unaffected by `nesting: true` (mocks don't carry the `vm2` package).
+
+---
+
 ## Considered Attack Surfaces
 
 These attack surfaces were analyzed and found to be safe or low-risk. They are documented here so future reviewers do not re-investigate them.
@@ -1915,6 +1987,7 @@ The most dangerous attacks combine multiple categories. Each pattern references
 | Array species self-return | set/defineProperty traps + neutralizeArraySpecies + SPECIES_ATTACK_SENTINEL |
 | Host prepareStackTrace fallback | Safe default always set; setter resets to safe default instead of `undefined` |
 | NodeVM `require.root` symlink bypass | `isPathAllowed` realpaths candidate before prefix check; `rootPaths` canonicalized at construction; deny-by-default if realpath throws |
+| NodeVM `nesting: true` + `require: false` config trap | Constructor throws `VMError` at the contradictory option pair, citing GHSA-8hg8-63c5-gwmx and the README escape-hatch section |
 
 ### Key Security Invariant: Promise Species Resolution Timing
 
diff --git a/lib/nodevm.js b/lib/nodevm.js
@@ -230,8 +230,15 @@ class NodeVM extends VM {
 	 * @param {customRequire} [options.require.customRequire=require] - Custom require to require host and built-in modules.
 	 * @param {boolean} [options.require.strict=true] - Load required modules in strict mode.
 	 * @param {boolean} [options.nesting=false] -
-	 * <b>WARNING: Allowing this is a security risk as scripts can create a NodeVM which can require any host module.</b>
-	 * Allow nesting of VMs.
+	 * <b>WARNING: <code>nesting: true</code> is an escape hatch — sandbox code
+	 * can <code>require('vm2')</code> and construct nested NodeVMs whose
+	 * <code>require</code> config is chosen by the sandbox, NOT constrained by
+	 * the outer config. Enabling <code>nesting: true</code> grants the sandbox
+	 * unrestricted host module access. Do not enable for untrusted code.
+	 * See README "`nesting: true` is an escape hatch".</b>
+	 * Combining <code>nesting: true</code> with <code>require: false</code>
+	 * throws <code>VMError</code> at construction (GHSA-8hg8-63c5-gwmx) — the
+	 * pair is contradictory.
 	 * @param {("commonjs"|"none")} [options.wrapper="commonjs"] - <code>commonjs</code> to wrap script into CommonJS wrapper,
 	 * <code>none</code> to retrieve value returned by the script.
 	 * @param {string[]} [options.sourceExtensions=["js"]] - Array of file extensions to treat as source code.
@@ -243,6 +250,28 @@ class NodeVM extends VM {
 	 * @throws {VMError} If the compiler is unknown.
 	 */
 	constructor(options = {}) {
+		// SECURITY (GHSA-8hg8-63c5-gwmx): `nesting: true` injects a NESTING_OVERRIDE
+		// builtin that exposes `vm2` to the sandbox regardless of `require: false`.
+		// The sandbox then constructs an inner NodeVM with attacker-chosen `require`
+		// config (unconstrained by the outer config — by design of nesting) and
+		// reaches `child_process` for full host RCE. The contradictory option pair
+		// is the specific trap the advisory describes; reject it at construction
+		// with a clear error rather than silently producing an unsandboxed config.
+		// (Bare `nesting: true` without `require: false` continues to work as the
+		// documented escape hatch; the README "`nesting: true` is an escape hatch"
+		// section explains the broader trade-off.)
+		if (options.nesting === true && options.require === false) {
+			throw new VMError(
+				'NodeVM `nesting: true` is incompatible with `require: false`. '
+				+ '`nesting: true` is an escape hatch that lets sandbox code '
+				+ '`require(\'vm2\')` and construct nested VMs unconstrained by the outer '
+				+ 'config — which contradicts `require: false`. To deny all requires, '
+				+ 'remove `nesting: true`. To allow nested VMs, replace `require: false` '
+				+ 'with an explicit config (e.g. `require: { builtin: [] }`) so the '
+				+ 'tradeoff is visible. See README "`nesting: true` is an escape hatch". '
+				+ 'Context: GHSA-8hg8-63c5-gwmx.'
+			);
+		}
 		const {
 			compiler,
 			eval: allowEval,
diff --git a/package.json b/package.json
@@ -13,7 +13,7 @@
 		"alcatraz",
 		"contextify"
 	],
-	"version": "3.11.0",
+	"version": "3.11.1",
 	"main": "index.js",
 	"sideEffects": false,
 	"repository": "github:patriksimek/vm2",
diff --git a/test/ghsa/GHSA-8hg8-63c5-gwmx/repro.js b/test/ghsa/GHSA-8hg8-63c5-gwmx/repro.js
@@ -0,0 +1,85 @@
+/**
+ * GHSA-8hg8-63c5-gwmx — `nesting: true` bypasses `require: false`
+ *
+ * ## Vulnerability
+ * `new NodeVM({ nesting: true, require: false })` constructed a permissive
+ * resolver containing the `NESTING_OVERRIDE` builtin (which exposes `vm2`)
+ * despite `require: false`. Sandbox code could `require('vm2')`, construct
+ * an inner `NodeVM` with attacker-chosen `require` config, and load
+ * `child_process` for full host RCE. The mental-model mismatch — developer
+ * sets `require: false` to lock down modules, then enables `nesting: true`
+ * for legitimate child-VM use — silently produces an unsandboxed config.
+ *
+ * ## Fix
+ * `NodeVM` constructor throws `VMError` immediately when both `nesting: true`
+ * and `require: false` are set explicitly. Forces the developer to make a
+ * deliberate choice: drop `nesting`, or replace `require: false` with an
+ * explicit `require` config. Same shape as the cp6g eager FileSystem probe.
+ *
+ * ## Out of scope
+ * `nesting: true` is fundamentally an escape hatch (sandbox can `require('vm2')`
+ * and construct inner NodeVMs unconstrained by the outer config). This fix
+ * closes the specific contradictory-config trap; the broader escape-hatch
+ * nature of `nesting: true` is now documented prominently in README §
+ * "`nesting: true` is an escape hatch".
+ */
+
+'use strict';
+
+const assert = require('assert');
+const { NodeVM, VMError } = require('../../../lib/main.js');
+
+describe('GHSA-8hg8-63c5-gwmx — nesting: true bypasses require: false', () => {
+
+	it('rejects { nesting: true, require: false } at construction', () => {
+		assert.throws(
+			() => new NodeVM({ nesting: true, require: false }),
+			err => err instanceof VMError
+				&& /nesting/.test(err.message)
+				&& /require/.test(err.message)
+				&& /GHSA-8hg8-63c5-gwmx/.test(err.message),
+			'construction should fail with a VMError citing nesting, require, and the advisory'
+		);
+	});
+
+	it('original PoC config is blocked at construction (cannot reach require(\'vm2\'))', () => {
+		// Without the fix, this would succeed and the inner VM would execute
+		// child_process.execSync('id'). With the fix, construction throws
+		// before vm.run is ever called.
+		assert.throws(() => {
+			const vm = new NodeVM({ nesting: true, require: false });
+			vm.run(`
+				const { NodeVM: NVM } = require('vm2');
+				const inner = new NVM({ require: { builtin: ['child_process'] } });
+				module.exports = inner.run('module.exports = require("child_process").execSync("id").toString()');
+			`);
+		}, err => err instanceof VMError && /GHSA-8hg8-63c5-gwmx/.test(err.message));
+	});
+
+	it('accepts { nesting: true, require: { builtin: [] } } (explicit empty allowlist)', () => {
+		// Legitimate use: nesting enabled, no other host modules. Developer
+		// has explicitly acknowledged that vm2 will be requireable.
+		assert.doesNotThrow(() => new NodeVM({ nesting: true, require: { builtin: [] } }));
+	});
+
+	it('accepts { nesting: true } alone (default require — escape-hatch use, documented)', () => {
+		// Bare `nesting: true` continues to work as documented. The README
+		// "`nesting: true` is an escape hatch" section explains the trade-off.
+		// Not closed here (would require Option C constraint propagation —
+		// out of scope for 3.11.1). This regression test ensures the narrow
+		// fix doesn't accidentally break the bare-nesting case.
+		assert.doesNotThrow(() => new NodeVM({ nesting: true }));
+	});
+
+	it('accepts { require: false } alone (no nesting — deny all requires)', () => {
+		// Existing behavior: require: false without nesting is fine — sandbox
+		// truly cannot require anything. Regression guard.
+		assert.doesNotThrow(() => new NodeVM({ require: false }));
+	});
+
+	it('accepts { } (default config — no nesting, no require)', () => {
+		// Regression guard for the most common case.
+		assert.doesNotThrow(() => new NodeVM());
+	});
+
+});
