A critical sandbox escape vulnerability in SandboxJS allows unauthenticated attackers to bypass security restrictions and execute arbitrary code on the host system.

The library fails to wrap function return values, allowing an unauthenticated attacker to use Object.values or Object.entries to retrieve the host's Function constructor. By leveraging Array.prototype.at, the attacker can invoke this constructor to escape the sandbox.

This vulnerability completely negates the security benefits of the sandbox, leading to host-level arbitrary code execution (ACE). With a CVSS score of 10.0, the impact is catastrophic, potentially resulting in full system takeover, data exfiltration, and lateral movement within the infrastructure.

Immediate Action: Update SandboxJS to version 0.8.29 or higher to ensure all return values are properly wrapped and constructors are protected.

Proactive Monitoring: Monitor application logs for unusual patterns of prototype access or attempts to access the Function constructor from within sandboxed scripts.

Compensating Controls: Restrict the capabilities of the process running the sandbox using OS-level isolation (e.g., Docker containers or seccomp profiles) to limit the impact of a successful escape.

Public Exploit Available: No

Given the CVSS 10.0 rating, this is a maximum-severity issue. Organizations must update to version 0.8.29 immediately to restore the integrity of their sandboxing environment and prevent unauthorized host code execution.