Executive Summary

CVE-2026-25520 is a critical sandbox escape vulnerability in the SandboxJS JavaScript sandboxing library affecting versions up to 0.8.28. The issue arises because the return values of functions executed within the sandbox are not properly wrapped or sanitized. This flaw allows attackers to use JavaScript methods like Object.values or Object.entries to retrieve an array containing the host environment’s native Function constructor. By accessing this constructor via Array.prototype.at, attackers can execute arbitrary code outside the sandbox environment.

This vulnerability enables chaining of function calls to bypass most validation and sanitization mechanisms, leading to remote code execution (RCE) on the host system without any privileges or user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact as it allows an attacker to completely escape the sandbox and execute arbitrary code on the host system remotely. Since no privileges or user interaction are required, an attacker can gain full control over the affected system.

• Remote Code Execution (RCE) on the host system.
• Full system compromise including confidentiality, integrity, and availability breaches.
• Potential execution of arbitrary commands such as accessing system files or running malicious processes.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your system is running a vulnerable version of the SandboxJS library (versions up to and including 0.8.28). Since the vulnerability allows execution of arbitrary code via the exposed Function constructor, one way to detect exploitation attempts is to monitor for unusual or unauthorized execution of commands that could be triggered through this vector.'}, {'type': 'paragraph', 'content': "A practical detection approach involves looking for suspicious JavaScript code that uses Object.values or Object.entries combined with Array.prototype.at to access the host's Function constructor within sandboxed environments."}, {'type': 'paragraph', 'content': 'For example, monitoring logs or sandboxed JavaScript execution for patterns similar to the following proof-of-concept commands could help identify exploitation attempts:'}, {'type': 'list_item', 'content': '`Object.values(sandboxedObject).at(0)` to access the Function constructor.'}, {'type': 'list_item', 'content': "Execution of commands like `process.getBuiltinModule('child_process').execSync('ls -lah')` via the exposed Function constructor."}, {'type': 'paragraph', 'content': 'On the system level, you can use commands to check the installed version of SandboxJS, for example, by running:'}, {'type': 'list_item', 'content': '`npm list @nyariv/sandboxjs`'}, {'type': 'list_item', 'content': '`npm ls @nyariv/sandboxjs`'}, {'type': 'paragraph', 'content': 'If the version is 0.8.28 or earlier, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade the SandboxJS package to version 0.8.29 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "This update hardens the sandbox environment by properly wrapping return values of functions and restricting access to the host's Function constructor, preventing arbitrary code execution."}, {'type': 'paragraph', 'content': 'Additional mitigation steps include:'}, {'type': 'list_item', 'content': 'Review and restrict the use of unsafe JavaScript methods such as Object.values, Object.entries, and Array.prototype.at within sandboxed code.'}, {'type': 'list_item', 'content': "Monitor sandboxed environments for suspicious activity or attempts to access the host environment's Function constructor."}, {'type': 'list_item', 'content': 'Apply security best practices such as running sandboxed code with least privilege and isolating sandbox environments.'}] [1, 2]

Useful 0 Not Useful 0