CVE-2026-43898 - Vulnerability Details

- SandboxJS: Sandbox escape via Function.caller leakage of internal call op

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.

Published: 2026-05-28

Score: 10 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SandboxJS, prior to version 0.9.6, allowed sandbox‑defined functions to expose the native Function.caller property. Through this leakage an attacker‑supplied sandbox script could retrieve the internal LispType.Call runtime callback, invoke it with fabricated context and obj parameters, extract blocked host statics, recover the real host Function constructor, and ultimately execute arbitrary host JavaScript. This flaw is a code injection vulnerability (CWE‑94) and is listed with a CVSS score of 10, indicating a full compromise of confidentiality, integrity, and availability of the host environment.

Affected Systems

The issue affects the nyariv SandboxJS library in all releases before 0.9.6. No other vendors or product versions are enumerated in the CVE data. Applications that embed SandboxJS 0.9.5 or earlier are vulnerable.

Risk and Exploitability

The vulnerability carries the maximum severity rating, underscoring the potential for complete host code takeover. The EPSS score is unavailable, but the flaw is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves an attacker who can submit or create sandbox‑defined functions, such as through user‑supplied script input. Once the internal call operation is accessed, the attacker can achieve arbitrary code execution on the host platform.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nyariv

SandboxJS

affected

Version	Status	Constraints
`< 0.9.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Nyariv

Sandboxjs

100%

Version	Status	Scheme	Platform
`[0,0.9.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s fix by upgrading SandboxJS to version 0.9.6 or later.
Ensure that the sandbox configuration prohibits exposure of Function.caller and any internal runtime callbacks, thereby preventing leakage of the Call operation.
Implement active monitoring and audit of sandbox interactions to detect any unexpected host code execution before a patch can be applied.

Generated by OpenCVE AI on May 28, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g8f2-4f4f-5jqw	SandboxJS has a sandbox escape via Function.caller leakage of internal call op

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00472.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/nyariv/SandboxJS/commit/826865251232611ec94078bab5a18ec875dad4a5
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-g8f2-4f4f-5jqw

History

Thu, 28 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nyariv Nyariv sandboxjs
CPEs		cpe:2.3:a:nyariv:sandboxjs::::::node.js::*
Vendors & Products		Nyariv Nyariv sandboxjs

Thu, 28 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.
Title		SandboxJS: Sandbox escape via Function.caller leakage of internal call op
Weaknesses		CWE-94
References		https://github.com/nyariv/SandboxJS/commit/826865251232611ec94078bab5a18ec875dad4a5 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-g8f2-4f4f-5jqw
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Nyariv Sandboxjs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T17:50:31.581Z

Updated: 2026-05-28T19:32:45.499Z

Reserved: 2026-05-04T16:11:33.085Z

Link: CVE-2026-43898

Vulnrichment

Updated: 2026-05-28T19:32:24.571Z

NVD

Status : Modified

Published: 2026-05-28T18:16:32.837

Modified: 2026-05-28T20:16:23.810

Link: CVE-2026-43898

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses

CWE-94
Improper Control of Generation of Code ('Code Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object