CVE-2026-44001

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0

Description A sandbox escape allows sandboxed code to crash the host Node.js process. This occurs when a Promise constructor triggers an unhandled rejection that propagates to the host. Specifically, when sandboxed code creates a Promise where the executor sets Error.name to a Symbol() and then accesses .stack, V8's internal FormatStackTrace attempts Symbol.toString(), throwing a host-realm TypeError. Because the Promise executor is not wrapped in a try-catch block in lib/setup-sandbox.js, and the .then() and .catch() overrides do not intercept rejections originating from the executor, the error becomes an unhandled rejection that terminates the host process. This results in a Denial of Service (DoS) where a single request can crash the entire server. Setting allowAsync: false does not prevent this and may exacerbate the issue by blocking .catch() method calls, ensuring the rejection remains unhandled.

Recommendations Update to version 3.11.0 or later.