Bright Nexus

Published on May 13, 2026

Critical SandboxJS Escape Vulnerability Enables Host Takeover

Severity

Critical

Detail

A critical security vulnerability has been discovered in SandboxJS, a widely used JavaScript sandboxing library available on npm. The vulnerability tracked as CVE-2026-43898, allows attackers to escape the sandbox environment and execute arbitrary code directly on the underlying host system potentially resulting in full Remote Code Execution (RCE) without requiring authentication or user interaction.

The issue affects all versions of the nyariv/sandboxjs package up to and including version 0.9.5. According to security researchers, the vulnerability is caused by improper handling of internal function properties within the sandbox environment. Attackers may abuse exposed internal callbacks to bypass sandbox restrictions and gain unauthorized access to the host runtime environment. Researchers confirmed that successful exploitation could allow attackers to execute system-level commands on affected servers. SandboxJS is commonly used to safely execute untrusted or user-supplied JavaScript code, placing applications such as online code editors, automation platforms, server-side scripting environments, and other systems relying on JavaScript sandboxing at significant risk.

The vulnerability was identified by GitHub security researchers under advisory ID GHSA-g8f2-4f4f-5jqw and reported by security researcher Macabely. Due to the critical severity and ease of exploitation, organizations using affected SandboxJS versions are strongly advised to remediate immediately to prevent potential host compromise, unauthorized access, data theft, or service disruption.

CVE IDSummaryCVSS Score
CVE-2026-43898Sandbox escape vulnerability in SandboxJS allows attackers to execute arbitrary code on the host system through improper function property access handling.10.0 (Critical)

Affected Products

The vulnerability affects all versions of SandboxJS (@nyariv/sandboxjs) up to and including version 0.9.5.

Recommendation

Organizations and developers are strongly advised to take the following actions immediately:

  • Upgrade @nyariv/sandboxjs to version 0.9.6 or later immediately
  • Temporarily disable execution of untrusted JavaScript code if patching cannot be completed immediately
  • Review applications and platforms that rely on SandboxJS for code isolation or script execution

Source

https://feedly.com/cve/CVE-2026-43898

https://cybersecuritynews.com/critical-sandboxjs-escape-vulnerability/