SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.
The vulnerability results from the fact that the Map type is included in the SAFE_PROTOTYPES list, making its prototype accessible via Map.prototype inside the sandbox. An attacker can override the Map.prototype.has method with their own implementation, which leads to breaking the sandbox isolation mechanisms. This enables arbitrary JavaScript code execution outside the controlled environment.
An attacker can escape from the isolated sandbox environment and execute arbitrary code (RCE) in the context of the host application, potentially gaining full control over the system — including confidentiality, integrity, and availability of data (CWE-94: Code Injection).
Update the SandboxJS library to version 0.8.29 or newer, where the vulnerability has been patched. The fix is available in the project's GitHub repository (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3).
Nyariv SandboxJS library in versions prior to 0.8.29.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNyariv Sandboxjs
APPNyariv< 0.8.29
Related vulnerabilities
SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE
SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora
Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą