SandboxJS is a JavaScript sandboxing library that protects untrusted code by limiting prototype access. The flaw exists in versions prior to 0.8.29 where Map is marked as a safe prototype and its prototype can be obtained via Map.prototype. Untrusted code can overwrite the has function on this prototype, allowing the sandbox to be breached and arbitrary code to run outside the intended boundary. This results in a complete loss of isolation, giving attackers the ability to read or modify privileged data and execute further malicious code, which compromises confidentiality, integrity, and availability of the host application.

The product affected is SandboxJS by nyariv, commonly used in Node.js applications. All releases before 0.8.29 are vulnerable; version 0.8.29 and later include the fix. Any application that imports a pre‑0.8.29 build of the library is at risk, regardless of the host platform, provided Node.js is used.

The CVSS score of 10 denotes critical severity. Although the EPSS score of less than 1% indicates current exploitation activity is low and the vulnerability is not listed in the CISA KEV catalog, the high impact means that any exposure to untrusted JavaScript offers a straightforward attack path. Attackers can trigger the escape simply by redefining Map.prototype.has within the sandboxed context, with no need for additional privileges. Consequently, the risk remains high until the library is updated or mitigated.