Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
Published: 2026-03-13
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Patch
AI Analysis

Impact

SandboxJS is a JavaScript sandboxing library that, before version 0.8.34, allows an attacker to obtain arrays containing Function objects. By combining such an array with Object.fromEntries, an adversary can construct an object with arbitrary constructible property keys pointing to Function values. This flaw enables a sandbox escape, giving the attacker the ability to execute arbitrary code within the host Node.js process. The weakness aligns with CWE‑94 (Code Injection).

Affected Systems

The vulnerability affects the nyariv sandboxjs library for all versions prior to 0.8.34. Any deployment that includes a version of SandboxJS older than 0.8.34 is potentially exploitable.

Risk and Exploitability

The CVSS score is 10, indicating critical severity. The EPSS score is less than 1%, suggesting a low probability of real‑world exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be local exploitation through providing malicious input or code to the sandboxed environment, and is likely to be exploitable in server‑side Node.js applications that use SandboxJS. If the attacker can supply input that is evaluated by SandboxJS, they may escape the sandbox and run arbitrary code.

Generated by OpenCVE AI on March 17, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SandboxJS to version 0.8.34 or later.
  • Verify that all dependencies are up to date and that no untrusted input is passed to the sandbox.

Generated by OpenCVE AI on March 17, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6r9f-759j-hjgv SandboxJS affected by a Sandbox Escape
History

Tue, 17 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nyariv
Nyariv sandboxjs
Vendors & Products Nyariv
Nyariv sandboxjs

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
Title SandboxJS has a Sandbox Escape
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nyariv Sandboxjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:06:55.221Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26954

cve-icon Vulnrichment

Updated: 2026-03-16T17:06:45.533Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:31.143

Modified: 2026-03-17T20:13:06.470

Link: CVE-2026-26954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:02:46Z

Weaknesses