SandboxJS is a JavaScript sandboxing library that prevents direct assignment to global objects such as Math. However, the library allows a bypass through an exposed constructor call path, using this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is permitted, attackers can write arbitrary properties into host global objects. These mutations persist across sandbox instances within the same process, effectively allowing the attacker to alter global state, potentially injecting malicious code or leaking data. The weakness aligns with CWE‑693 (Improper handling of input) and CWE‑915 (Improper use of a Function constructor). The impact is full compromise of confidentiality, integrity, and availability for any Node.js process that loads the vulnerable SandboxJS version.

nyariv SandboxJS versions prior to 0.8.36 used within Node.js applications. No other vendor or product is mentioned, so the scope is limited to projects that incorporate this library directly. The library is typically deployed as a dependency in JavaScript or Node.js projects, so any application that imports SandboxJS and runs untrusted code within the sandbox is at risk.

The CVSS score of 10 indicates that all impact dimensions are affected. Exploit probability is low, with an EPSS score of less than 1%, suggesting that widespread exploitation has not yet been observed, and the vulnerability is not listed in the CISA KEV catalog. The likely attack requires the ability to execute code inside the sandbox; thus, it is a local or code‑intrusion vector. Once attacker code reaches the sandbox, the constructor bypass can be invoked to escape the sandbox and modify global objects, compromising the entire Node.js process.