CVE-2026-43898
CRITICALSandboxJS: Sandbox escape via Function.caller leakage of internal call op
Title source: cnaDescription
SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-g8f2-4f4f-5jqw
X_Refsource_Misc x_refsource_misc
https://github.com/nyariv/SandboxJS/commit/826865251232611ec94078bab5a18ec875dad4a5
Scores
CVSS v3
10.0
EPSS
0.0047
EPSS Percentile
36.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (3)
nyariv/sandboxjs
< 0.9.6
nyariv/sandboxjs
0 - 0.9.6npm
nyariv/SandboxJS
< 0.9.6
Published
May 28, 2026
Tracked Since
May 28, 2026