{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T18:25:38.107","vulnerabilities":[{"cve":{"id":"CVE-2026-23830","sourceIdentifier":"security-advisories@github.com","published":"2026-01-28T00:15:50.170","lastModified":"2026-06-17T10:22:10.250","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability."},{"lang":"es","value":"SandboxJS es una librería de sandboxing de JavaScript. Las versiones anteriores a la 0.8.26 tienen una vulnerabilidad de escape de sandbox debido a que `AsyncFunction` no está aislada en `SandboxFunction`. La librería intenta aplicar un sandbox a la ejecución de código reemplazando el constructor global `Function` con una versión segura y con sandbox (`SandboxFunction`). Esto se maneja en `utils.ts` mapeando `Function` a `sandboxFunction` dentro de un mapa utilizado para búsquedas. Sin embargo, antes de la versión 0.8.26, la librería no incluía mapeos para `AsyncFunction`, `GeneratorFunction` y `AsyncGeneratorFunction`. Estos constructores no son propiedades globales, pero se puede acceder a ellos a través de la propiedad `.constructor` de una instancia (por ejemplo, `(async () =&gt; {}).constructor`). En `executor.ts`, se maneja el acceso a propiedades. Cuando el código que se ejecuta dentro del sandbox accede a `.constructor` en una función asíncrona (que el sandbox permite crear), el `executor` recupera el valor de la propiedad. Dado que `AsyncFunction` no estaba en el mapa de reemplazo seguro, el `executor` devuelve el constructor `AsyncFunction` nativo real del host. Los constructores para funciones en JavaScript (como `Function`, `AsyncFunction`) crean funciones que se ejecutan en el ámbito global. Al obtener el constructor `AsyncFunction` del host, un atacante puede crear una nueva función asíncrona que se ejecuta completamente fuera del contexto del sandbox, eludiendo todas las restricciones y obteniendo acceso total al entorno del host (ejecución remota de código). La versión 0.8.26 corrige esta vulnerabilidad."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"nyariv","product":"SandboxJS","versions":[{"version":"< 0.8.26","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-28T15:09:12.332920Z","id":"CVE-2026-23830","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"},{"lang":"en","value":"CWE-693"},{"lang":"en","value":"CWE-913"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*","versionEndExcluding":"0.8.26","matchCriteriaId":"39569A92-6C8F-4E00-8280-F8AA92EA4150"}]}]}],"references":[{"url":"https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}