Vm2 (3.9.6 - 3.10.5)

A vulnerability in vm2 versions 3.9.6 through 3.10.5 allows attacker-controlled JavaScript running in a default VM or inherited NodeVM to mutate shared host prototypes from inside the sandbox, leading to sandbox escape and prototype pollution.