CVE-2026-24120

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5

Description An insufficient fix in the sandbox implementation allows attackers to bypass security restrictions, enabling them to escape the VM2 sandbox and execute arbitrary commands on the host system. This is possible because the resetPromiseSpecies() function, which is intended to reset the species property of promise objects, relies on [].includes and Object.defineProperty. These functions can be overwritten to prevent the property from being changed, leading to remote code execution if an attacker can run arbitrary code within the sandbox context.

Recommendations Update to version 3.10.5.