A critical sandbox escape vulnerability in SandboxJS allows attackers to bypass security restrictions and execute arbitrary JavaScript code on the host system.

The library fails to properly restrict access to the Function constructor when specific array and object methods are used. An attacker can use Object.fromEntries to construct malicious objects that grant access to restricted functions, effectively breaking the sandbox environment.

The ability to escape a security sandbox represents a total failure of the primary security control of the library, justifying the CVSS score of 10.0. This allows for unauthenticated arbitrary code execution, which can lead to full system compromise, data exfiltration, and the deployment of malware. For applications relying on SandboxJS to run untrusted code, this is a catastrophic risk.

Immediate Action: Upgrade SandboxJS to version 0.8.34 or higher to resolve the logic error allowing the sandbox escape.

Proactive Monitoring: Audit application logs for unusual JavaScript execution patterns or attempts to access the Function constructor from within sandboxed environments.

Compensating Controls: Implement secondary isolation layers, such as running the sandboxed process within a low-privilege container or a separate virtual machine.

Public Exploit Available: false

This vulnerability represents the highest possible technical risk, as it completely negates the security guarantees provided by the product. IT administrators must ensure that all instances of SandboxJS are updated to version 0.8.34 immediately. Continuous monitoring of sandboxed execution environments is also recommended to detect any further bypass attempts.