SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
SandboxJS blocks direct assignment of properties to global objects (e.g., Math.random = ...), however this protection can be bypassed by calling this.constructor.call(target, attackerObject). Since this.constructor points to the internal SandboxGlobal function, and Function.prototype.call is allowed, attacker code can write arbitrary properties to global host objects. These mutations are permanent and persist across all sandbox instances running in the same process, effectively breaking the isolation boundary.
An attacker can permanently modify global objects in the host environment, leading to data integrity violations, potential information disclosure, and takeover of control over the logic of other sandbox instances running in the same process.
The SandboxJS library should be updated to version 0.8.36 or later, where the vulnerability has been fixed. Details available in the vendor's references (GitHub Security Advisory GHSA-2gg9-6p7w-6cpj).
Nyariv SandboxJS in versions earlier than 0.8.36
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LNyariv Sandboxjs
APPNyariv< 0.8.36
Related vulnerabilities
SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE
Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą
Ucieczka z sandboxa w bibliotece SandboxJS poprzez nadpisanie Map.prototype