SandboxJS Prototype Manipulation Vulnerability Leading to Sandbox Escape
Vulnerability
A vulnerability in SandboxJS versions prior to 0.8.29 allows for escaping the JavaScript sandbox by manipulating the prototype of Map, which is considered a safe prototype. The issue arises because the sandbox's handling of 'let' variables is flawed, creating a window for exploitation. By overwriting 'Map.prototype.has', an attacker can escape the sandbox restrictions and potentially execute arbitrary code.
Impact
Exploitation of this vulnerability allows for escaping the sandbox environment, with the potential for arbitrary code execution, as demonstrated in the proof-of-concept.
Reproduction
The vulnerability can be reproduced by creating a new SandboxJS instance and compiling a script that overwrites 'Map.prototype.has' with a custom function. This script can then be executed to escape the sandbox and execute arbitrary code.
Remediation
Users are advised to update to SandboxJS version 0.8.29 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.