CRITICAL🇵🇱 Wersja polska

CVE-2026-23830

CVSS 10.0v3.1pub. 2026-01-28upd. 2026-02-12

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability.

🤖 AI Analysis
How it works

The SandboxJS library replaces the global `Function` constructor with a secure, controlled version (`SandboxFunction`), but before version 0.8.26 it did not include mapping of the `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction` constructors. These constructors are not global properties, but can be obtained via the `.constructor` property of an async function instance (e.g., `(async () => {}).constructor`). When code executed inside the sandbox accesses `.constructor` on an async function, the `executor.ts` module returns the native, unmodified host `AsyncFunction` constructor, as it is not on the list of safe replacements. Using this constructor, an attacker can create functions executed outside the sandbox context, completely bypassing its restrictions.

Impact

An attacker can execute arbitrary JavaScript code outside the sandbox in the full context of the host environment (RCE), gaining access to all resources and data available to the application — including the file system, environment variables, and network.

Mitigation & patch

SandboxJS should be updated to version 0.8.26 or later, which introduces proper mapping of `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction` constructors in the sandbox isolation mechanism.

Who is affected

Nyariv SandboxJS library in versions prior to 0.8.26

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Nyariv Sandboxjs

    APP
    Nyariv
    < 0.8.26
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-43898CRITICAL10.0PL ✓ten sam produkt

SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE

CVE-2026-34208CRITICAL10.0PL ✓ten sam produkt

SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora

CVE-2026-26954CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)

CVE-2026-25881CRITICAL9.0PL ✓ten sam produkt

SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE

CVE-2026-25586CRITICAL10.0PL ✓ten sam produkt

SandboxJS — ucieczka z sandbox przez shadowing hasOwnProperty