A critical sandbox escape in SandboxJS allows malicious code to bypass security boundaries and execute arbitrary commands on the host system through prototype pollution.

The vulnerability exists in how the library handles global prototype references within array literals, which strips the "isGlobal" protection flag. This unauthenticated flaw allows sandboxed code to mutate host built-in prototypes, leading to persistent prototype pollution and potential Remote Code Execution (RCE).

The ability to escape a JavaScript sandbox undermines the primary security control of the library. With a CVSS score of 9.0, this vulnerability allows an attacker to transition from a restricted environment to full host compromise. This could lead to unauthorized data access, system-wide instability, and the execution of malicious payloads in the application's context.

Immediate Action: Update the SandboxJS library to version 0.8.31 or later to resolve the prototype mutation flaw.

Proactive Monitoring: Audit application code for uses of sensitive sinks (like execSync) that could be influenced by polluted object properties.

Compensating Controls: Implement strict Content Security Policies (CSP) and use object freezing techniques on global prototypes to prevent unauthorized modifications at runtime.

Public Exploit Available: false

Developers using SandboxJS must treat this as a high-priority update. Because prototype pollution can have far-reaching effects across an entire Node.js process, immediate migration to version 0.8.31 is the only reliable way to ensure host integrity.