diff --git a/lib/bridge.js b/lib/bridge.js
index c27de2e..47b8b5c 100644
--- a/lib/bridge.js
+++ b/lib/bridge.js
@@ -420,7 +420,10 @@ function createBridge(otherInit, registerProxy) {
 			switch (key) {
 				case 'constructor': {
 					const desc = otherSafeGetOwnPropertyDescriptor(object, key);
-					if (desc) return thisDefaultGet(this, object, key, desc);
+					if (desc) {
+						if (desc.value && desc.value.name === 'Function') return {};
+						return thisDefaultGet(this, object, key, desc);
+					}
 					const proto = thisReflectGetPrototypeOf(target);
 					return proto === null ? undefined : proto.constructor;
 				}
diff --git a/test/vm.js b/test/vm.js
index 14e4aca..d31b1f6 100644
--- a/test/vm.js
+++ b/test/vm.js
@@ -1135,6 +1135,16 @@ describe('VM', () => {
 		`), /Sandbox escape attempt blocked/);
 	});
 
+	it('constructor arbitrary code attack', async () => {
+		const vm2 = new VM();
+		assert.throws(()=>vm2.run(`
+		const g = ({}).__lookupGetter__;
+		const a = Buffer.apply;
+		const p = a.apply(g, [Buffer, ['__proto__']]);
+		p.call(a).constructor('return process')();
+		`), /constructor is not a function/);
+	});
+
 	after(() => {
 		vm = null;
 	});