Name of the Vulnerable Software and Affected Versions vm2 versions up to 3.9.19 Directus versions prior to 10.6.0

Description The issue allows attackers to bypass Promise handler sanitization in vm2, enabling them to escape the sandbox and execute arbitrary code. This specifically affects the "Run Script" operation in Directus flows, where code can escape the sandbox and run in the main Node.js context.

Recommendations For vm2 versions up to 3.9.19, update to a version that replaces vm2 with isolated-vm, such as Directus version 10.6.0. For Directus versions prior to 10.6.0, update to version 10.6.0 to replace vm2 with isolated-vm.