SandboxJS critical sandbox escape to host code execution
TL;DR - Sandboxed code in SandboxJS can reach into the host Function constructor through Object.entries(this) and friends. Arbitrary host code execution. CVSS 10.0.
What happened
SandboxJS (@nyariv/sandboxjs) runs untrusted JavaScript by interpreting it at the AST level. The new CVE is a critical sandbox escape: sandboxed code can obtain an array containing the host Function constructor and use it to execute code outside the sandbox. The advisory shows escape paths like Object.entries(this).at(1) and Object.values(this).slice(1, 2) combined with Object.fromEntries.
JS sandbox escapes are a well-known class. Node's built-in vm module has the same fundamental problem. SandboxJS is the latest library to learn that building a secure JavaScript sandbox in userspace is extraordinarily hard.
Who is impacted
@nyariv/sandboxjsversions<= 0.8.33.- Projects executing untrusted or semi-trusted JavaScript through SandboxJS.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- If you rely on SandboxJS for tenant isolation or user-provided scripts, assume prior executions may have had a path to sandbox escape → RCE.
- Review runtime isolation (least-privilege OS user, container boundaries, network egress restrictions).
- Inventory transitive dependencies and prioritize internet-exposed or multi-tenant services.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.