A critical security vulnerability has been discovered in SandboxJS, a widely deployed JavaScript sandboxing library distributed via npm under the package name @nyariv/sandboxjs. Tracked as CVE-2026-43898 and assigned a maximum CVSS score of 10.0, the flaw allows an attacker to completely break out of the sandboxed environment and execute arbitrary code directly on the host system — with no authentication or user interaction required.
What Is SandboxJS and Why Does It Matter?
SandboxJS is a library designed to let developers safely run untrusted JavaScript code within a contained environment. It is used across a wide range of applications, including online code editors, server-side scripting platforms, automation tools, and any system that needs to execute user-submitted scripts. The fundamental promise of a sandboxing library is isolation: code running inside the sandbox cannot reach outside it. CVE-2026-43898 shatters that promise entirely.
All versions of @nyariv/sandboxjs up to and including version 0.9.5 are affected. A patched version, 0.9.6, has been released on npm and all users should update immediately.
How the Sandbox Escape Works
The vulnerability was identified by security researchers at GitHub and published under advisory identifier GHSA-g8f2-4f4f-5jqw. A researcher known as Macabely discovered and reported the flaw, providing a working proof-of-concept demonstrating full exploitation under real-world conditions.
The root cause lies in the property access logic inside a file called prop.ts, specifically within a function called addOps. Sandboxed code was incorrectly permitted to read the caller, callee, and arguments properties on functions. In the CommonJS build of the library, this oversight made it possible for sandboxed code to call something like function f(){ return f.caller } and receive back the internal host-side callback that originally triggered the sandboxed execution.
That leaked callback is the LispType.Call operation — the handler responsible for function calls inside the SandboxJS runtime. The critical problem is that this handler accepts a params object and uses its fields directly, without verifying that those fields originated from the trusted executor. An attacker who controls these fields can craft forged input that tricks the handler into performing entirely unintended actions.
From Callback Leak to Full Host Takeover
By chaining a series of crafted calls through the leaked callback, an attacker can extract the real host Function constructor. Once in possession of that constructor, they can pass it any arbitrary JavaScript string and execute it directly on the host — completely outside the sandbox. The proof-of-concept included in the advisory demonstrates this by invoking system commands through Node.js’s built-in child_process module.
The CVSS breakdown reflects the severity of the vulnerability:
- Network-accessible: The attack can be launched remotely over the network without physical proximity
- No authentication needed: No credentials whatsoever are required to trigger the vulnerability
- No user interaction: The exploit requires zero action from any user on the target system
- Low attack complexity: The technique requires no specialized conditions and is straightforward to weaponize
- Scope: Changed — a successful exploit crosses the boundary from the sandboxed environment into the host system
Who Is at Risk?
Any application or platform using SandboxJS to execute untrusted or third-party JavaScript is directly exposed. This includes:
- Online coding playgrounds and REPL environments
- Server-side script execution engines
- Automation and workflow platforms processing user-submitted code
- Development tools and CI environments that sandbox build scripts
- Any SaaS product offering customer-facing “run your own code” functionality
Once the sandbox is compromised, an attacker gains unrestricted access to the confidentiality, integrity, and availability of the host system. In a multi-tenant cloud environment, this could mean accessing other customers’ data, stealing secrets, or pivoting to internal infrastructure.
Remediation Steps
The fix in version 0.9.6 addresses the root cause by blocking access to the caller, callee, and arguments properties within sandboxed code. Security teams should:
- Upgrade
@nyariv/sandboxjsto version 0.9.6 or later immediately across all environments - Audit any application that runs untrusted JavaScript through the affected package
- If an immediate upgrade is not feasible, cease executing untrusted JavaScript through the library until the patch is applied
- Review server and process logs for anomalous child process invocations that may indicate past exploitation
- Consider scanning transitive dependencies for indirect usage of the affected package
With a CVSS score of 10.0 and a publicly available proof-of-concept, this vulnerability should be treated as a P0 incident. Defenders are strongly urged to patch without delay and inspect any system that runs SandboxJS for signs of compromise.