Executive Summary

CVE-2026-43898 is a critical vulnerability in SandboxJS, a JavaScript sandboxing library. Prior to version 0.9.6, sandbox-defined functions expose the Function.caller property, which allows sandboxed code to access an internal LispType.Call runtime callback. This callback can be invoked with attacker-controlled context and object values, enabling the attacker to extract blocked host statics, recover the real host Function constructor, and execute arbitrary JavaScript code on the host.

The root cause is improper property access logic in the CommonJS build, which allows sandboxed code to read Function.caller and observe the host-side callback that invoked the sandbox function. This callback accepts attacker-controlled parameters without authentication, allowing forged operands to invoke internal primitives.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in SandboxJS allows arbitrary code execution by escaping the sandbox, which can lead to unauthorized access to sensitive data and system resources. This poses significant risks to confidentiality, integrity, and availability of data.

Such unauthorized access and potential data breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access and disclosure.

Therefore, if exploited, this vulnerability could lead to violations of these regulations due to compromised data security and privacy.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to escape the sandbox environment and execute arbitrary JavaScript code on the host system. This can lead to a complete compromise of the host environment, including unauthorized access to sensitive data, execution of malicious commands, and full control over the affected system.

The CVSS v3.1 base score is 10.0, indicating critical severity with impacts on confidentiality, integrity, and availability. The attack requires no privileges or user interaction and can be performed remotely over the network.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the SandboxJS version in use is prior to 0.9.6, as versions 0.9.5 and earlier are vulnerable.

Since the vulnerability allows sandboxed code to access the Function.caller property and execute arbitrary host JavaScript, one way to detect exploitation attempts is to monitor for unusual or unauthorized JavaScript execution within sandboxed environments.

There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade SandboxJS to version 0.9.6 or later, where this vulnerability is fixed.

The fix involves restricting access to the Function.caller, callee, and arguments properties within the sandbox, preventing sandboxed code from exploiting the internal LispType.Call runtime callback.

If upgrading immediately is not possible, consider restricting or monitoring the execution of sandboxed JavaScript code to detect and prevent exploitation attempts.

Useful 0 Not Useful 0