SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
In versions prior to 0.8.34, it is possible to obtain an array containing a reference to the built-in Function constructor, which should be blocked by the sandbox. Then, using the Object.fromEntries method, an attacker can construct an object in the form {[p]: Function}, where p is any constructible property. This way, the restrictions imposed by the sandbox are bypassed, and the attacker gains access to the full functionality of the JavaScript environment — including the ability to execute arbitrary code (CWE-94: code injection).
An attacker can escape from the isolated sandbox environment and execute arbitrary JavaScript code in the context of the host application, which may lead to complete application takeover, data leakage, or further system compromise.
Update the SandboxJS library to version 0.8.34 or newer, in which the vulnerability has been fixed. Details are available in the vendor's references on GitHub Security Advisories.
Nyariv SandboxJS in versions prior to 0.8.34
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNyariv Sandboxjs
APPNyariv< 0.8.34
Related vulnerabilities
SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE
SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą
Ucieczka z sandboxa w bibliotece SandboxJS poprzez nadpisanie Map.prototype