CRITICAL🇵🇱 Wersja polska

CVE-2026-43898

CVSS 10.0v3.1pub. 2026-05-28

SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.

🤖 AI Analysis
How it works

Functions defined inside the sandbox expose the Function.caller property, allowing sandboxed code to access the internal LispType.Call runtime environment callback. An attacker can then invoke this callback with controlled fake context and object values, allowing extraction of blocked static host elements. Subsequently, it is possible to recover the true host Function constructor and execute arbitrary JavaScript code outside the sandbox (code injection, CWE-94).

Impact

An attacker can fully bypass the sandbox isolation mechanism and execute arbitrary JavaScript code in the context of the host process, gaining access to resources, data and functions that should remain inaccessible to them.

Mitigation & patch

The SandboxJS library must be updated to version 0.9.6, where the vulnerability has been fixed. The fix commit is available at: https://github.com/nyariv/SandboxJS/commit/826865251232611ec94078bab5a18ec875dad4a5

Who is affected

Nyariv SandboxJS in versions before 0.9.6

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Nyariv Sandboxjs

    APP
    Nyariv
    < 0.9.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-34208CRITICAL10.0PL ✓ten sam produkt

SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora

CVE-2026-26954CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)

CVE-2026-25881CRITICAL9.0PL ✓ten sam produkt

SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE

CVE-2026-25520CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą

CVE-2026-25587CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece SandboxJS poprzez nadpisanie Map.prototype