SandboxJS is a JavaScript sandboxing library. Prior to version 0.8.36, a scope modification vulnerability allows untrusted sandboxed code to leak internal interpreter objects when using the new operator. The leak exposes sandbox scope objects in the scope hierarchy to untrusted code, enabling it to read or modify the scope within the sandbox. Although execution of arbitrary code remains confined and prototypes stay protected, the flaw breaks isolation between sandboxed components and could permit privilege escalation or data tampering inside the sandbox.

The vulnerable component is @nyariv/sandboxjs, packaged as SandboxJS. Versions older than 0.8.36 are affected. The library is used in Node.js applications that require sandboxing. No other vendors or products are listed.

The CVSS base score of 6.9 indicates moderate severity, with an EPSS below 1% suggesting low likelihood of exploitation in the current landscape. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation demands that the attacker can execute code within the sandbox; the flaw does not permit escape to the host environment, but compromising sandbox integrity may allow an attacker to alter application behavior or data within the constrained context.