@nyariv SandboxJS Scope Modification Vulnerability Allowing Internal Object Leakage

A scope modification vulnerability has been identified in the @nyariv/sandboxjs library, affecting versions through 0.8.35. This vulnerability allows untrusted, sandboxed code to leak internal interpreter objects by using the new operator. The leaked objects include sandbox scope objects from the scope hierarchy, which could be accessed by the untrusted code. Although this vulnerability could enable modifications to the sandboxed scopes, the code execution remains confined to the sandbox, and prototypes are protected during execution.

Impact

Exploitation of this vulnerability allows for unauthorized access to and modification of scope variables in the sandbox, potentially leading to unintended behavior in the host application.

Reproduction

To reproduce this vulnerability, create a new directory and initialize a Node.js project. Set the module type to ESM and install the vulnerable @nyariv/sandboxjs package version 0.8.35. Then, create a minimal exploit that compiles and runs sandboxed code using the vulnerable library. The exploit should access a scope variable, such as isNaN, which will be leaked through the new operator into the sandbox's scope.

Remediation

Users are advised to update to @nyariv/sandboxjs version 0.8.36 or later, where this vulnerability has been fixed.