fix: Fix security issue in vm2 via minor version upgrade from 3.10.5 to 3.11.2

[aikido-autofix]

Upgrade vm2 to fix critical sandbox escape vulnerabilities including RCE via proxy handler leaks, cross-realm symbol extraction, prototype pollution, module loading policy bypass, and exception handling exploits.

✅ There are no breaking changes

✅ 17 CVEs resolved by this upgrade, including 10 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-10718	🚨 CRITICAL	[vm2] A sandbox escape vulnerability allows guest code to access internal proxy handler objects through crafted conditions, enabling attackers to pivot to host execution and break out of the sandbox environment.
AIKIDO-2026-10719	🚨 CRITICAL	[vm2] A trust-boundary vulnerability allows guest code to extract host-only symbols from opaque objects, enabling construction of gadget chains that lead to remote code execution on the host system.
AIKIDO-2026-10721	🚨 CRITICAL	[vm2] A prototype pollution vulnerability allows guest code to mutate host intrinsic prototypes through write traps on bridged objects, breaking sandbox isolation and enabling arbitrary host behavior modification. This permits guest-controlled code to affect critical host runtime objects that should be protected from guest interference.
AIKIDO-2026-10722	🚨 CRITICAL	[vm2] A policy bypass vulnerability allows attackers to load restricted modules through module-family builtins and Module._load, circumventing the curated allowlist. This enables unauthorized access to capabilities that should be denied by the sandbox policy.
AIKIDO-2026-10731	🚨 CRITICAL	[vm2] A sandbox escape vulnerability allows guest code to leak host-side inspection surfaces through exception handling, enabling recovery of dangerous constructors and breaking isolation boundaries, leading to remote code execution on the host.
AIKIDO-2026-10716	🚨 CRITICAL	[vm2] A property descriptor lookup flaw allows guest code to recover host-side capabilities through __lookupGetter__-style paths, breaking sandbox isolation and enabling remote code execution on the host.
AIKIDO-2026-10717	🚨 CRITICAL	[vm2] A sandbox breakout vulnerability allows guest code to manipulate inspection paths and leak host-side representations, enabling attackers to regain access to dangerous constructors and achieve remote code execution on the host system.
AIKIDO-2026-10720	🚨 CRITICAL	[vm2] A sandbox escape vulnerability exists where guest code can exploit error object structures in promise error handling to bypass sanitization and execute arbitrary code on the host system. The vulnerability bypasses promise hardening through aggregate and suppressed error shapes that create unprotected execution pathways.
AIKIDO-2026-10730	🚨 CRITICAL	[vm2] A vulnerability in bridge code that restores saved state can trigger user-defined Array.prototype setters, allowing attacker code execution that pivots to the host environment. This results in remote code execution through accidental sandbox callback invocation.
AIKIDO-2026-10689	🚨 CRITICAL	[vm2] A vulnerability allows sandbox code to bypass module restrictions by requiring the vm2 builtin when nesting is enabled, enabling attackers to construct a new VM with unrestricted require access and execute arbitrary operating system commands.
AIKIDO-2026-10723	HIGH	[vm2] A vulnerability in promise executor paths causes unhandled rejections that can crash or destabilize the host process when triggered by guest code, resulting in a denial of service attack against the host runtime.
AIKIDO-2026-10728	HIGH	[vm2] A path traversal vulnerability in NodeVM allows attackers to bypass the require.root restriction through symlinked entries, enabling sandbox escape and arbitrary code execution. The fix implements path canonicalization using realpath to properly enforce directory boundaries.
AIKIDO-2026-10724	HIGH	[vm2] Guest code can exploit Buffer.alloc with extremely large sizes to exhaust host heap memory, causing denial of service against the embedding process. This bypasses typical timeout protections, as memory allocation is not network-bound.
AIKIDO-2026-10725	MEDIUM	[vm2] A vulnerability in promise resolution allows attackers to bypass sandbox isolation by preserving host object identity through .then handling and null-prototype edge cases, enabling access to raw host objects that should remain outside guest reach.
AIKIDO-2026-10726	MEDIUM	[vm2] A vulnerability in prepareStackTrace integration leaks sensitive host information including filesystem paths and deployment environment details to untrusted guest code, resulting in information disclosure about the host system.
AIKIDO-2026-10729	MEDIUM	[vm2] A privileged internal identifier could be accessed through computed property access on globalThis, allowing attackers to reference private state and weaken the guest isolation boundary for use in exploit chains.
AIKIDO-2026-10727	MEDIUM	[vm2] A sandbox bypass vulnerability exists where attackers can exploit the code transformer's fast path using with statements and unicode-escaped identifiers to access privileged internal state, enabling remote code execution outside the sandbox.

🔗 Related Tasks

• https://linear.app/n8n/issue/SEC-632/minor-upgrade-for-vm2-n8n

- [x] I have seen this code, I have run this code, and I take responsibility for this code.

[n8n-assistant]

Hey @aikido-autofix[bot],

Thank you for your contribution. We appreciate the time and effort you’ve taken to submit this pull request.

Before we can proceed, please ensure the following:
• Tests are included for any new functionality, logic changes or bug fixes.
• The PR aligns with our contribution guidelines.

Regarding new nodes:
We no longer accept new nodes directly into the core codebase. Instead, we encourage contributors to follow our Community Node Submission Guide to publish nodes independently.

If your node integrates with an AI service that you own or represent, please email nodes@n8n.io and we will be happy to discuss the best approach.

About review timelines:
This PR has been added to our internal tracker as "GHC-8153". While we plan to review it, we are currently unable to provide an exact timeframe. Our goal is to begin reviews within a month, but this may change depending on team priorities. We will reach out when the review begins.

Thank you again for contributing to n8n.

[cubic-dev-ai]

No issues found across 2 files

Architecture diagram

sequenceDiagram
    participant App as n8n Application
    participant Pkg as package.json / catalog
    participant NPM as npm Registry
    participant VM2 as vm2 Sandbox (runtime)
    participant Guest as Untrusted Guest Code
    participant Host as Host System (Node.js)

    Note over App,Host: Dependency Upgrade: vm2 3.10.5 → 3.11.2 (no breaking changes)

    App->>Pkg: Read vm2 version constraint
    Pkg-->>App: "vm2": "3.11.2"

    App->>NPM: Fetch vm2@3.11.2 package
    NPM-->>App: Install vm2 3.11.2 (sandbox engine)

    Note over VM2,Guest: Sandbox Initialization (unchanged API)

    App->>VM2: new NodeVM(options)
    VM2->>VM2: Initialize with patched isolation layer
    VM2->>Guest: Execute untrusted code in sandbox

    alt Guest tries known exploit vectors (3.10.5)
        Guest->>VM2: Attempt proxy handler leak (CVE AIKIDO-2026-10718)
        VM2-->>Guest: BLOCKED - Proxy handlers now hardened
        Guest->>VM2: Try cross-realm symbol extraction (CVE AIKIDO-2026-10719)
        VM2-->>Guest: BLOCKED - Symbol isolation enforced
        Guest->>VM2: Attempt prototype pollution via write traps (CVE AIKIDO-2026-10721)
        VM2-->>Guest: BLOCKED - Host prototypes protected
        Guest->>VM2: Try module policy bypass via Module._load (CVE AIKIDO-2026-10722)
        VM2-->>Guest: BLOCKED - Module loading policy enforced
        Guest->>VM2: Exploit exception handling to leak constructors (CVE AIKIDO-2026-10731)
        VM2-->>Guest: BLOCKED - Error objects sanitized
        Guest->>VM2: Attempt property descriptor lookup (__lookupGetter__) (CVE AIKIDO-2026-10716)
        VM2-->>Guest: BLOCKED - Inspection paths secured
        Guest->>VM2: Manipulate inspection surfaces (CVE AIKIDO-2026-10717)
        VM2-->>Guest: BLOCKED - Representation leakage fixed
        Guest->>VM2: Exploit promise error structures (CVE AIKIDO-2026-10720)
        VM2-->>Guest: BLOCKED - Promise handling hardened
        Guest->>VM2: Trigger Array.prototype setter via bridge restore (CVE AIKIDO-2026-10730)
        VM2-->>Guest: BLOCKED - Saved state restore fixed
        Guest->>VM2: Require vm2 builtin when nesting enabled (CVE AIKIDO-2026-10689)
        VM2-->>Guest: BLOCKED - Nested access restricted
    else Normal guest execution
        Guest->>VM2: Run user-provided code
        VM2->>VM2: Execute within security boundaries
        alt Resource limits enforced
            Guest->>VM2: Allocate extremely large Buffer (CVE AIKIDO-2026-10724)
            VM2->>VM2: Memory limit triggered, allocation denied
            VM2-->>Guest: Error: Sandbox denied allocation
        end
        VM2-->>Guest: Sandboxed result (no host access)
    end

    Note over VM2,Host: All exploits that would succeed in 3.10.5 are now blocked

    alt Guest attempts symlink path traversal (CVE AIKIDO-2026-10728)
        Guest->>VM2: Require module via symlink outside root
        VM2->>VM2: Canonicalize path via realpath
        alt Path outside allowed root
            VM2-->>Guest: BLOCKED - path traversal prevented
        else Path inside allowed root
            VM2->>Host: Load module (allowed)
            Host-->>VM2: Module content
            VM2-->>Guest: Module provided
        end
    end

    VM2-->>App: Return sandbox execution result
    App->>App: Continue normal processing

Loading