CVE-2026-44000

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0

Description A sandbox boundary violation allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the .then() callback preserves host identity. This occurs because the Promise fulfillment wrapper uses the ensureThis() function instead of a stronger cross-realm conversion path. If no prototype mapping is found, ensureThis() returns the original object, allowing the sandbox to interact with the host object directly. This enables performing identity checks using host-side WeakMap and mutating host object state from inside the sandbox.

Recommendations Update to version 3.11.0.