SandboxJS is a JavaScript sandboxing library that previously prevented direct assignment to host global objects such as Math.random. The vulnerability allows bypassing this protection through the exposed constructor path, specifically using this.constructor.call to invoke the internal SandboxGlobal function. This attack grants the ability to write arbitrary properties into host global objects and persist those mutations across all sandbox instances in the same process, effectively enabling code execution within the host environment. The weakness corresponds to the Common Weakness Enumeration identifiers CWE-693 and CWE-915, indicating improper restriction of operations and inadequate safeguard against critical data manipulation, respectively.

The vulnerability affects the nyariv:SandboxJS library in all releases before version 0.8.36. Users running these earlier versions are at risk when processing untrusted JavaScript within the sandbox.

The CVSS score of 10 signals a maximum severity, but no EPSS score is reported, indicating insufficient data on current exploit frequency. The vulnerability is not listed in CISA’s KEV catalog. Executing attacker-supplied JavaScript that leverages this constructor call path can modify global objects, but requires code to run within the same process as the sandbox. The likely attack vector is the execution of untrusted JavaScript code within a vulnerable SandboxJS environment. Given the high severity and the potential for persistent tampering, the risk is considerable.