Nyariv Sandboxjs vulnerabilities
14 known vulnerabilities affecting nyariv/sandboxjs.
Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH3MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-23830P2CRITICALCVSS 10.0fixed in 0.8.262026-01-28
CVE-2026-23830 [CRITICAL] CWE-94 CVE-2026-23830: SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnera
SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by
ghsanvdosv
CVE-2026-25142P2CRITICALCVSS 10.0fixed in 0.8.272026-02-02
CVE-2026-25142 [CRITICAL] CWE-94 CVE-2026-25142: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict _
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
ghsanvdosv
CVE-2026-43898P2CRITICALCVSS 10.0fixed in 0.9.62026-05-28
CVE-2026-43898 [CRITICAL] CWE-94 CVE-2026-43898: SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Funct
SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constru
ghsanvd
CVE-2026-25520P2CRITICALCVSS 10.0fixed in 0.8.292026-02-06
CVE-2026-25520 [CRITICAL] CWE-74 CVE-2026-25520: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandb
ghsanvdosv
CVE-2026-34208P2CRITICALCVSS 10.0fixed in 0.8.362026-04-06
CVE-2026-34208 [CRITICAL] CWE-693 CVE-2026-34208: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal functio
ghsanvdosv
CVE-2026-25586P2CRITICALCVSS 10.0fixed in 0.8.292026-02-06
CVE-2026-25586 [CRITICAL] CWE-74 CVE-2026-25586: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shado
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persiste
ghsanvdosv
CVE-2026-26954P3CRITICALCVSS 10.0fixed in 0.8.342026-03-13
CVE-2026-26954 [CRITICAL] CWE-94 CVE-2026-26954: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays conta
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
ghsanvdosv
CVE-2026-25881P3CRITICALCVSS 10.0fixed in 0.8.312026-02-09
CVE-2026-25881 [CRITICAL] CWE-1321 CVE-2026-25881: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the is
ghsanvdosv
CVE-2026-25587P3CRITICALCVSS 10.0fixed in 0.8.292026-02-06
CVE-2026-25587 [CRITICAL] CWE-94 CVE-2026-25587: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's pro
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.
ghsanvdosv
CVE-2026-25641P3CRITICALCVSS 9.0fixed in 0.8.292026-02-06
CVE-2026-25641 [CRITICAL] CWE-367 CVE-2026-25641: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerabili
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objec
ghsanvdosv
CVE-2026-34217P3HIGHCVSS 7.2fixed in 0.8.362026-04-06
CVE-2026-34217 [HIGH] CWE-668 CVE-2026-34217: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability ex
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. Whi
ghsanvdosv
CVE-2026-34211P3HIGHCVSS 7.5fixed in 0.8.362026-04-06
CVE-2026-34211 [HIGH] CWE-674 CVE-2026-34211: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: M
ghsanvdosv
CVE-2025-34146P4HIGHCVSS 7.0≤ 0.8.232025-07-31
CVE-2025-34146 [HIGH] CWE-1321 CVE-2025-34146: A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attacke
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerab
ghsanvdosv
CVE-2026-32723P4MEDIUMCVSS 4.7fixed in 0.8.352026-03-18
CVE-2026-32723 [MEDIUM] CWE-362 CVE-2026-32723: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-qu
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sand
ghsanvdosv