SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.
Functions defined inside the sandbox expose the Function.caller property, allowing sandboxed code to access the internal LispType.Call runtime environment callback. An attacker can then invoke this callback with controlled fake context and object values, allowing extraction of blocked static host elements. Subsequently, it is possible to recover the true host Function constructor and execute arbitrary JavaScript code outside the sandbox (code injection, CWE-94).
An attacker can fully bypass the sandbox isolation mechanism and execute arbitrary JavaScript code in the context of the host process, gaining access to resources, data and functions that should remain inaccessible to them.
The SandboxJS library must be updated to version 0.9.6, where the vulnerability has been fixed. The fix commit is available at: https://github.com/nyariv/SandboxJS/commit/826865251232611ec94078bab5a18ec875dad4a5
Nyariv SandboxJS in versions before 0.9.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNyariv Sandboxjs
APPNyariv< 0.9.6
Related vulnerabilities
SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora
Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)
SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE
Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą
Ucieczka z sandboxa w bibliotece SandboxJS poprzez nadpisanie Map.prototype