Primary

Context

SandboxJS Arbitrary Code Execution Vulnerability

Vulnerability

A vulnerability in SandboxJS, a JavaScript sandboxing library, allows for arbitrary code execution outside of the sandbox. This issue affects versions of SandboxJS through 0.8.28. The vulnerability arises because the return values of functions are not properly wrapped, enabling the use of Object.values or Object.entries to access the host's Function constructor. By leveraging Array.prototype.at, an attacker can retrieve the Function constructor and execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a sandbox escape, allowing for arbitrary code execution on the host system.

Reproduction

To reproduce this vulnerability, create a new SandboxJS instance and compile a payload that uses Object.values or Object.entries to access the Function constructor. The payload can then be executed, resulting in arbitrary code execution outside of the sandbox.

Remediation

Users can upgrade to SandboxJS version 0.8.29 or later, where this vulnerability has been patched.

Added: Feb 6, 2026, 8:25 PM

Updated: Feb 6, 2026, 10:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SandboxJS Arbitrary Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating