SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
SandboxJS does not block calls to __lookupGetter__, which is a mechanism allowing reading accessor methods (getters) assigned to object properties. An attacker can use this method to obtain a reference to JavaScript object prototypes, which should normally be inaccessible from sandboxed code. Gaining access to prototypes enables bypassing sandbox restrictions and executing arbitrary code outside its boundaries (prototype pollution or direct environment privilege escalation).
An attacker can escape the isolated JavaScript environment and execute arbitrary code on the server side or in the application hosting the library (RCE). This results in complete loss of confidentiality, integrity, and availability of the system.
Update the SandboxJS library to version 0.8.27 or newer, in which the vulnerability has been removed. The update is available in the project's GitHub repository (commit 75c8009db32e6829b0ad92ca13bf458178442bd3).
Nyariv SandboxJS library in all versions before 0.8.27.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNyariv Sandboxjs
APPNyariv< 0.8.27
Related vulnerabilities
SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE
SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora
Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
SandboxJS — ucieczka z sandbox przez shadowing hasOwnProperty