SandboxJS Sandbox Escape (CVE-2026-34208)

Overview

A critical sandbox escape vulnerability, CVE-2026-34208, exists in versions of the SandboxJS library prior to 0.8.36. This flaw allows untrusted code running inside the sandbox to break out of its isolated environment and directly modify the host application’s global objects.

Vulnerability Details

SandboxJS is designed to safely execute untrusted JavaScript code by restricting its access to the host system. The library correctly blocked direct assignments to global objects like Math. However, a bypass was discovered using the this.constructor.call() method chain. Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is permitted, an attacker can use this path to write arbitrary properties into the host’s global scope. Crucially, these malicious mutations persist across different sandbox instances within the same Node.js process, leading to a permanent corruption of the application environment.

Impact

With a maximum CVSS score of 10.0, this vulnerability has severe consequences. An attacker who can supply malicious JavaScript to a vulnerable SandboxJS instance can:

• Permanently alter or poison core JavaScript objects (e.g., Math, Object, Array) for the entire application process.
• Potentially overwrite security-critical functions to bypass other controls.
• Achieve a full sandbox escape, leading to remote code execution (RCE) depending on how the sandbox is integrated. The “network” attack vector and lack of required privileges or user interaction make this highly exploitable.

Remediation and Mitigation

The primary and only complete mitigation is to upgrade the SandboxJS library immediately.

Action Required:

1. Update: Upgrade SandboxJS to version 0.8.36 or later. This version contains the fix for the constructor call path bypass.
2. Audit: Review your applications for the use of SandboxJS. Check package.json files and dependency trees to identify all affected instances.
3. No Workaround: There is no effective configuration-based workaround. Updating the library is mandatory.

For the latest on emerging threats and active exploits, monitor our security news feed.

Security Insight

This vulnerability highlights the persistent challenge of achieving true isolation in JavaScript environments, reminiscent of historical Node.js sandbox escapes like those in the vm2 module. It underscores that blocking obvious assignment paths is insufficient; security must also account for the dynamic, prototype-based nature of JavaScript where functions are first-class objects that can be repurposed as attack vectors. The flaw reveals a common oversight in sandbox design: failing to comprehensively restrict access to constructor and callable properties of core objects.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs