@nyariv/sandboxjs Prototype Pollution Vulnerability Allowing Denial-of-Service and Sandbox Escape
Vulnerability
A prototype pollution vulnerability has been identified in @nyariv/sandboxjs versions through 0.8.23. This vulnerability allows attackers to inject arbitrary properties into Object.prototype using crafted JavaScript code. The issue arises from inadequate checks on prototype access within the sandbox's execution logic, particularly when managing JavaScript function objects. Exploitation of this vulnerability can lead to a denial-of-service condition or, in certain scenarios, escape the intended restrictions of the sandboxed environment.
Impact
Exploitation of this vulnerability causes a denial-of-service condition and can potentially escape the sandboxed environment, allowing unrestricted code execution.
Reproduction
The vulnerability can be reproduced by creating a new sandbox instance and compiling a payload that accesses the prototype of a function object, such as the 'sub' method of a string. The payload should use the '__defineGetter__' method to inject a property into the prototype, which can then be accessed outside the sandbox, demonstrating the escape.
Remediation
Users can upgrade to @nyariv/sandboxjs version 0.8.24 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.