SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
Return values from functions inside the sandbox are not wrapped into safe equivalents. An attacker can use Object.values or Object.entries methods to obtain an array containing the host's Function constructor. Subsequently, using the Array.prototype.at method, it is possible to extract this constructor and use it to build and execute arbitrary JavaScript code outside the controlled sandbox environment. This is a classic injection scenario (CWE-74) leading to full RCE on the host side.
An attacker can execute arbitrary JavaScript code outside the sandbox in the context of the host process, resulting in complete takeover of the application, data leakage, and potential compromise of system integrity and availability.
SandboxJS should be updated to version 0.8.29 or later. The patch is available in the vendor's repository (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3). Until the update is applied, untrusted input data should not be passed to the SandboxJS environment.
Nyariv SandboxJS library in all versions before 0.8.29
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNyariv Sandboxjs
APPNyariv< 0.8.29
Related vulnerabilities
SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE
SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora
Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
SandboxJS — ucieczka z sandbox przez shadowing hasOwnProperty