A critical sandbox escape vulnerability in SandboxJS allows attackers to bypass security protections, enabling arbitrary code execution and persistence across sandbox instances.

The library fails to sufficiently block access to the constructor property within the sandbox. Attackers can leverage this.constructor.call to write arbitrary properties into host global objects, effectively breaking the isolation boundary.

This flaw permits an attacker to escape the intended sandbox isolation, which could lead to unauthorized access to host-level resources and sensitive memory. Given the CVSS score of 10.0, this represents the highest level of risk to applications relying on SandboxJS for secure code execution.

Immediate Action: Update the SandboxJS library to version 0.8.36 or later immediately.

Proactive Monitoring: Review application logs for unusual global object modifications or unexpected cross-sandbox interaction patterns.

Compensating Controls: Ensure that applications utilizing sandboxing implement secondary defense-in-depth measures, such as limiting the privileges of the process running the sandbox.

Public Exploit Available: Unknown

Given the critical CVSS rating, immediate remediation is required. Organizations using SandboxJS must prioritize upgrading to version 0.8.36 to ensure the integrity of their sandboxed environments and prevent potential host-level compromise.