SandboxJS, a JavaScript sandboxing library, contains a scope modification flaw in versions prior to 0.8.36. The vulnerability is triggered by using the new operator within untrusted sandboxed code, which causes internal interpreter objects to leak through the scope hierarchy. While the sandbox still disallows direct execution of arbitrary code and protects prototypes, the exposed scope objects enable attackers to modify or introspect the sandbox’s internal state, potentially leading to information leakage or unintended behavior within the confined environment.

The flaw affects the nyariv SandboxJS library before version 0.8.36. Users deploying any iteration of the library older than this release should identify the specific version in use and whether sandboxed code is executed in that environment.

The vulnerability carries a CVSS score of 6.9, indicating a moderate severity level. No EPSS data is provided, and the issue is not listed in the CISA KEV catalog. An attacker must be able to run code inside the SandboxJS environment to exploit the bug; however, because the library is designed to isolate untrusted scripts, the primary risk is that a developer who accepts third‑party code might inadvertently allow state manipulation within the sandbox. The exploitation path is straightforward once the new operator is available within the sandboxed context, with no additional prerequisites reported.