Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
Published: 2026-02-06
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SandboxJS, a JavaScript sandboxing library, has a flaw where the return values of functions are not wrapped. By using Object.values or Object.entries on a sandboxed object, an attacker can retrieve an array that includes the host’s Function constructor. Leveraging Array.prototype.at allows the attacker to extract the host Function constructor, which can then be used to execute arbitrary code outside the sandboxed context. This allows remote code execution from within the sandbox, granting full control of the host process.

Affected Systems

The affected product is SandboxJS by nyariv. All versions prior to 0.8.29 are vulnerable. The vulnerability is fixed in 0.8.29 and later releases. No other vendors or products are listed.

Risk and Exploitability

The vulnerability has a CVSS score of 10, indicating a critical impact. The EPSS score is less than 1%, suggesting low likelihood of exploitation at this time. It is not included in the CISA KEV catalog. Exploitation would likely come from any JavaScript code that is allowed to run inside the sandbox; thus, systems exposing user-controlled scripts to SandboxJS are at risk.

Generated by OpenCVE AI on April 18, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SandboxJS to version 0.8.29 or later.
  • Review and restrict any usage of Object.values, Object.entries, and Array.prototype.at in untrusted code paths to prevent accidental exposure of host objects.
  • Ensure that all JavaScript code executed by SandboxJS is sourced from trusted users or has undergone validation; consider disabling or sanitizing access to host Function objects in the sandbox configuration.

Generated by OpenCVE AI on April 18, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-58jh-xv4v-pcx4 @nyariv/sandboxjs has a Sandbox Escape issue
History

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Nyariv
Nyariv sandboxjs
Vendors & Products Nyariv
Nyariv sandboxjs

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
Title SandboxJS has a Sandbox Escape
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nyariv Sandboxjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:18:08.646Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25520

cve-icon Vulnrichment

Updated: 2026-02-06T20:17:55.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:10.440

Modified: 2026-02-18T14:33:15.567

Link: CVE-2026-25520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses