PT-2026-39892 · Npm · @Nyariv/Sandboxjs
Macabely
·
Published
2026-05-09
·
Updated
2026-06-17
·
CVE-2026-43898
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SandboxJS versions prior to 0.9.6
Description
Sandbox-defined functions expose the
Function.caller property, which allows sandboxed code to recover the internal LispType.Call runtime callback. An attacker can invoke this callback using forged context and obj values to extract blocked host statics and recover the real host Function constructor. This process enables a total sandbox escape, allowing the execution of arbitrary host JavaScript. The issue stems from property access logic where sandboxed code can access caller, callee, and arguments properties on functions, specifically leaking the host-side callback in CommonJS builds. The LispType.Call handler is vulnerable because it accepts a parameters object and uses its fields without verifying they originated from the executor.Recommendations
Update to version 0.9.6.
Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Nyariv/Sandboxjs