A critical sandbox escape vulnerability exists in the SandboxJS library, rated with the maximum CVSS score of 10.0. The flaw allows untrusted code running inside the sandbox to break out and execute arbitrary commands on the host system, leading to a full system compromise. Organizations using affected versions to run untrusted JavaScript are at immediate risk of Remote Code Execution (RCE).

The vulnerability is a sandbox escape due to incomplete function constructor sandboxing. SandboxJS is designed to safely execute untrusted JavaScript by replacing the native Function constructor with a sandboxed equivalent. However, it failed to do the same for other function constructors like AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction. An attacker can run code inside the sandbox that creates an anonymous async function (e.g., (async () => {})) and then accesses its .constructor property. Because AsyncFunction is not mapped to a safe replacement, the library returns the host's actual, native AsyncFunction constructor. Using this native constructor, the attacker can then create a new function that executes in the global scope of the host machine, completely bypassing all sandbox restrictions and achieving Remote Code Execution.

This vulnerability is of critical severity with a CVSS score of 10.0, representing the highest possible risk. Successful exploitation results in a complete compromise of the underlying server or system running the SandboxJS library. An attacker can execute arbitrary code with the full permissions of the application process, leading to severe consequences such as theft of sensitive data, deployment of ransomware, installation of persistent backdoors, and using the compromised system to launch further attacks against the internal network. Any application relying on this library for security is effectively without protection.

Immediate Action: Immediately upgrade all instances of SandboxJS to version 0.8.26 or later, which contains the patch for this vulnerability. After patching, it is crucial to monitor for any signs of past exploitation by thoroughly reviewing application and system access logs for suspicious activity.

Proactive Monitoring: Security teams should monitor for exploitation attempts by inspecting application logs for unusual JavaScript patterns, specifically calls involving .constructor on function types like async () => {}. On the host system, monitor the application process for anomalous behavior, such as unexpected child processes, outbound network connections to unknown destinations, or unauthorized file system modifications.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Run the application utilizing SandboxJS in a heavily restricted, containerized environment with minimal privileges and strict network egress filtering.
• Implement stringent input validation on any JavaScript code before it is passed to the sandbox, attempting to block or sanitize calls to .constructor.
• Use a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules designed to detect and block exploit payloads targeting this vulnerability.

Public Exploit Available: false

Given the critical severity (CVSS 10.0) and the risk of complete system compromise, this vulnerability requires immediate attention. We strongly recommend that all affected systems be patched to SandboxJS version 0.8.26 or newer on an emergency basis. Due to the high likelihood of exploitation, organizations should treat this as an active threat and proactively hunt for signs of compromise in systems that were running a vulnerable version. The absence of this CVE from the CISA KEV catalog should not diminish the urgency of remediation efforts.