Ddos 
The fundamental promise of any digital sandbox is strict isolation: providing a secure container where untrusted code can run without threatening the underlying host system. However, a critical new vulnerability in a widely used JavaScript utility has shattered that boundary.
According to newly disclosed security advisory, a severe sandbox escape vulnerability has been discovered in SandboxJS, a popular JavaScript sandboxing library designed to securely execute untrusted code. The flaw, tracked as CVE-2026-43898 (CVSS 10), allows malicious actors to break out of the restricted environment and achieve full Remote Code Execution (RCE) on the host machine.
At the heart of the issue is a classic JavaScript oversight. When the sandbox creates functions using createFunction(), it generates ordinary host functions. Because these functions aren’t sufficiently isolated, malicious sandboxed code can use a simple trick:
By accessing Function.caller, the restricted code can “reach out” and grab the host-side callback that triggered it. In this case, it recovers the internal LispType.Call runtime callback.
Once an attacker has their hands on this internal callback, the sandbox’s protection crumbles. The leaked callback accepts parameters from the attacker without performing any authentication checks.
By providing a “fake” context, an attacker can manipulate internal primitives to:
- Extract blocked host statics.
- Recover the real host Function constructor.
- Execute arbitrary JavaScript directly on the host machine.
Essentially, the very tool meant to prevent supply chain attacks and secure untrusted code becomes the gateway for an attacker to take over the entire application.
Security researchers urge all users to update to version 0.9.6 immediately to close the Function.caller loophole and secure their internal callbacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
