Critical 10.0 CVSS SandboxJS Flaw Grants Complete Remote Code Execution

A severe security flaw has been identified in SandboxJS, a popular JavaScript sandboxing library used to safely execute untrusted code within web and Node.js applications. The vulnerability, tracked as CVE-2026-26954, has been assigned a maximum CVSS score of 10, indicating the highest level of risk to affected systems.

Breaking the Kingdom’s Gates

Sandboxing is a fundamental security practice designed to prevent malicious dependencies or supply chain attacks from gaining full access to an application’s environment. However, this new discovery reveals that the very walls meant to contain untrusted code can be scaled.

The flaw allows an attacker to obtain arrays containing the Function constructor, which serves as a “golden ticket” to escape the restricted environment. By manipulating standard JavaScript methods, an adversary can bypass the library’s security constraints.

“It is possible to obtain arrays containing Function, which allows escaping the sandbox… this can be used to escape the sandbox“.

The Path to Remote Code Execution

The technical root of the issue lies in how SandboxJS handles certain object properties. Researchers found multiple ways to trick the library into yielding the Function object, such as using Object.entries(this).at(1) or Object.values(this).slice(1, 2).

Once an attacker has access to an array containing Function, they can use Object.fromEntries to construct a malicious object. This enables a Sandbox Escape, leading directly to Remote Code Execution (RCE). In a successful attack, an operative could execute arbitrary system commands—such as spawning a shell or reading sensitive files—with the same privileges as the host application.

Emergency Patch Released

The vulnerability impacts all versions of SandboxJS up to and including version 0.8.33. Due to the critical nature of this flaw and the ease with which it can be exploited, developers are urged to update their dependencies immediately.

• Affected Versions: <= 0.8.33
• Patched Version: 0.8.34

Securing Your Environment

In light of this discovery, security teams are advised to perform the following actions:

1. Immediate Update: Upgrade SandboxJS to version 0.8.34 or later to eliminate the escape route.
2. Audit Dependencies: Review all third-party libraries that utilize sandboxing to ensure they are patched against similar logic flaws.
3. Principle of Least Privilege: Even when using a sandbox, ensure the host process runs with the minimal permissions necessary to reduce the impact of a potential escape.