PT-2026-39892 · Npm · @Nyariv/Sandboxjs

Macabely

·

Published

2026-05-09

·

Updated

2026-06-17

·

CVE-2026-43898

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.9.6
Description Sandbox-defined functions expose the Function.caller property, which allows sandboxed code to recover the internal LispType.Call runtime callback. An attacker can invoke this callback using forged context and obj values to extract blocked host statics and recover the real host Function constructor. This process enables a total sandbox escape, allowing the execution of arbitrary host JavaScript. The issue stems from property access logic where sandboxed code can access caller, callee, and arguments properties on functions, specifically leaking the host-side callback in CommonJS builds. The LispType.Call handler is vulnerable because it accepts a parameters object and uses its fields without verifying they originated from the executor.
Recommendations Update to version 0.9.6.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09273
CVE-2026-43898
GHSA-G8F2-4F4F-5JQW

Affected Products

@Nyariv/Sandboxjs