CVE-2026-23830
Unknown Unknown - Not Provided
Sandbox Escape in SandboxJS Pre-0.8.26 Enables RCE

Publication date: 2026-01-28

Last updated on: 2026-02-12

Assigner: GitHub, Inc.

Description
SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23830
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nyariv sandboxjs to 0.8.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

SandboxJS versions prior to 0.8.26 have a sandbox escape vulnerability because the AsyncFunction constructor was not replaced with a safe sandboxed version. The library replaces the global Function constructor with a sandboxed version to isolate code execution, but it missed AsyncFunction and other related constructors. Attackers can access the native AsyncFunction constructor via the .constructor property of an async function inside the sandbox, allowing them to create new async functions that execute outside the sandbox. This bypasses all sandbox restrictions and enables remote code execution in the host environment.

Impact Analysis

This vulnerability allows an attacker to escape the sandbox environment and execute arbitrary code with the privileges of the host environment. This can lead to full remote code execution, compromising the security and integrity of the system running SandboxJS, potentially allowing data theft, system manipulation, or further attacks.

Mitigation Strategies

Upgrade SandboxJS to version 0.8.26 or later, as this version patches the sandbox escape vulnerability by properly isolating AsyncFunction and related constructors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart