CVE-2026-47208

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4

Description A sandbox breakout exists that allows attackers to escape the VM2 sandbox and execute arbitrary commands on the host system. The issue occurs because the localPromise constructor calls this.then(undefined, eater) without calling resetPromiseSpecies. This omission allows a custom promise to supply a custom reject method to the executor, enabling the attacker to obtain a raw host error and break out of the sandbox.

Recommendations Update to version 3.11.4.