Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/CyberSecurity News/Critical SandboxJS Vulnerability Lets Attackers Take Over Hosts
CyberSecurity News

Critical SandboxJS Vulnerability Lets Attackers Take Over Hosts

Key Takeaways A critical vulnerability, CVE-2026-43898, has been discovered in SandboxJS, a popular JavaScript sandboxing library. The flaw allows attackers to completely escape the sandbox...

Marcus Rodriguez
Marcus Rodriguez
May 13, 2026 4 Min Read
49 0

Key Takeaways

  • A critical vulnerability, CVE-2026-43898, has been discovered in SandboxJS, a popular JavaScript sandboxing library.
  • The flaw allows attackers to completely escape the sandbox environment and execute arbitrary code on the host system.
  • All versions of the @nyariv/sandboxjs package up to and including 0.9.5 are affected.
  • The vulnerability carries a maximum CVSS score of 10.0, indicating extreme severity.
  • A patched version, 0.9.6, is available on npm, and immediate updates are strongly recommended.

Critical SandboxJS Flaw Exposes Hosts to Complete Takeover

A severe security vulnerability has been identified in SandboxJS, a widely utilized JavaScript sandboxing library distributed via npm. This critical flaw enables malicious actors to bypass the sandbox’s isolation, gaining the ability to execute arbitrary code directly on the underlying host system, posing a significant threat to applications relying on the library for secure script execution.

Table Of Content

  • Key Takeaways
  • Critical SandboxJS Flaw Exposes Hosts to Complete Takeover
  • Discovery and Disclosure
  • How the Sandbox Escape Works
  • Remote Code Execution and the Broader Risk
  • What You Should Do

Designated as CVE-2026-43898, this vulnerability has been assigned the highest possible CVSS score of 10.0, signifying its maximum severity. The flaw impacts all versions of the @nyariv/sandboxjs package up to and including version 0.9.5. The core issue stems from sandboxed functions inadvertently exposing a critical internal callback, LispType.Call.

Once an attacker gains control of this callback, they can leverage it to bypass the sandbox’s boundaries and achieve unfettered control over the underlying host environment. The implications are profound, as this allows for full remote code execution without requiring authentication or user interaction. Any application that uses the vulnerable library to execute untrusted JavaScript is therefore at significant risk of complete system compromise.

Discovery and Disclosure

The vulnerability was identified by security researchers at GitHub, who subsequently published an advisory under the identifier GHSA-g8f2-4f4f-5jqw. Credit for reporting the flaw goes to a security researcher known as Macabely, who also provided a functional proof-of-concept (PoC) demonstrating the sandbox escape in real-world conditions.

How the Sandbox Escape Works

The vulnerability resides within the property access logic of the prop.ts file, specifically within the addOps function. The flaw allows sandboxed code to read the caller, callee, and arguments properties of functions. In the CommonJS build of the library, this design oversight permits a sandboxed function to invoke a construct such as function f(){ return f.caller }, which then returns the internal host-side callback that initiated the sandboxed execution.

This leaked callback is the LispType.Call operation, responsible for managing function calls within the runtime. Crucially, this handler accepts a params object and directly utilizes its fields without validating whether these fields originated from a trusted executor. This lack of validation allows an attacker to manipulate these fields, crafting malicious input that tricks the handler into performing unintended operations.

By orchestrating a series of carefully constructed calls through the compromised callback, an attacker can extract the legitimate host’s Function constructor. With access to the host’s Function constructor, an attacker can then inject and execute arbitrary JavaScript code directly on the host system. The provided PoC vividly illustrates this capability by executing a system command via Node.js’s built-in child_process module.

Remote Code Execution and the Broader Risk

The CVSS score of 10.0 underscores the extreme danger posed by this vulnerability. Exploiting this flaw is a low-complexity operation that can be initiated over a network, requires no special privileges, and demands no user interaction. The “Changed” scope rating further emphasizes the severity, indicating that a successful exploit transcends the sandbox’s boundaries, directly impacting the host system.

Any platform or application that employs SandboxJS to execute untrusted JavaScript is directly exposed to this threat. This encompasses a wide range of systems, including online code editors, server-side scripting environments, automation platforms, and any application designed to process external or user-submitted scripts. A successful sandbox escape grants attackers full control over the confidentiality, integrity, and availability of the compromised host.

A patched version, 0.9.6, is now available on npm. This update addresses the root cause of the vulnerability by restricting access to the caller, callee, and arguments properties within sandboxed code.

What You Should Do

  • Immediate Update: All users of the @nyariv/sandboxjs package are strongly advised to update to version 0.9.6 or later immediately.
  • Isolate Untrusted Code: If an immediate update is not feasible, refrain from executing any untrusted JavaScript code through the affected library until the patch can be properly applied and thoroughly tested in your environment.
  • Review Dependencies: Developers should audit their project dependencies to identify any reliance on vulnerable versions of SandboxJS.
  • Implement Least Privilege: Ensure that any applications running sandboxed JavaScript operate with the absolute minimum necessary privileges on the host system.
  • Monitor for Exploitation: Implement robust monitoring solutions to detect unusual activity or unauthorized code execution on systems utilizing SandboxJS.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

iOS 26.5 Update Enables Encrypted RCS Messaging for iPhone-Android

Next Post

ClickFix uses a decade-old SOCKS5 proxy, raising security concerns

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us