SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29.
The SandboxJS library's protection mechanism is based on a whitelist of prototype properties, whose enforcement occurs in the property access path using the hasOwnProperty method. An attacker can declare their own property named hasOwnProperty directly on the sandbox object, causing the original whitelist check to be bypassed. Once this protection is disabled, direct access to normally blocked properties such as __proto__ becomes possible, enabling a prototype pollution attack on the host's Object.prototype. The effects of such prototype poisoning are persistent and can affect all other objects running in the same process, including other sandbox instances.
An attacker can perform a prototype pollution attack on the host's global Object.prototype, leading to persistent, cross-cutting impact on all sandboxes and objects in the process, potentially enabling remote code execution (RCE) or application takeover.
SandboxJS should be updated to version 0.8.29 or later, in which the vulnerability has been fixed. The patch is available in the vendor's GitHub repository (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3).
Nyariv SandboxJS in versions before 0.8.29
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNyariv Sandboxjs
APPNyariv< 0.8.29
Related vulnerabilities
SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE
SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora
Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą