CVE-2026-23830

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.26

Description SandboxJS, a JavaScript sandboxing library, has a flaw where the AsyncFunction constructor is not properly isolated within the SandboxFunction. The library aims to secure code execution by replacing the global Function constructor with a sandboxed version. However, prior to version 0.8.26, mappings for AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction were missing. This allows code within the sandbox to access the native host AsyncFunction constructor via the .constructor property of an async function. By obtaining this constructor, an attacker can create and execute functions outside the sandbox, leading to Remote Code Execution (RCE). The vulnerability is due to the failure to intercept the AsyncFunction constructor, allowing attackers to bypass security restrictions and gain full access to the host environment.

Recommendations Versions prior to 0.8.26 should be updated to version 0.8.26 or later.