Platform
nodejs
Component
@nyariv/sandboxjs
Opgelost in
0.8.27
0.8.26
CVE-2026-23830 describes a critical sandbox escape vulnerability discovered in the @nyariv/sandboxjs library for Node.js. This flaw allows attackers to bypass the intended sandboxing mechanism, potentially leading to arbitrary code execution within the application. The vulnerability affects versions prior to 0.8.26, and a patch has been released to address the issue.
The core of the vulnerability lies in the library's attempt to sandbox code execution by replacing the global Function constructor. While mappings were implemented for Function, crucial omissions existed for AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction. Attackers can leverage this by accessing the .constructor property of instances of these functions, effectively bypassing the sandbox and executing malicious code with the privileges of the sandboxed environment. This could lead to data breaches, system compromise, or complete control over the affected application. The impact is particularly severe in environments where @nyariv/sandboxjs is used to execute untrusted code.
This vulnerability was publicly disclosed on 2026-01-27. There is currently no indication of active exploitation in the wild, but the critical severity and the availability of a public proof-of-concept increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of Node.js, makes this a high-priority vulnerability to address.
Applications utilizing @nyariv/sandboxjs to execute untrusted code, particularly those handling user-supplied scripts or external data, are at significant risk. This includes web applications, command-line tools, and any Node.js environment where sandboxing is employed to isolate potentially malicious code.
• nodejs / supply-chain:
npm list @nyariv/sandboxjs• nodejs / supply-chain:
npm audit @nyariv/sandboxjs• nodejs / supply-chain:
grep -r 'AsyncFunction' node_modules/@nyariv/sandboxjs/src/disclosure
Exploit Status
EPSS
0.19% (40% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-23830 is to immediately upgrade to version 0.8.26 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization for any code passed to the sandbox. While not a complete solution, this can reduce the attack surface. Review any existing sandboxed code for potential vulnerabilities and consider using alternative sandboxing solutions if possible. After upgrading, confirm the fix by attempting to execute code that previously bypassed the sandbox and verifying that it is now properly contained.
Actualice la biblioteca SandboxJS a la versión 0.8.26 o superior. Esto solucionará la vulnerabilidad de escape de sandbox causada por la falta de aislamiento del constructor AsyncFunction. Puede actualizar la biblioteca utilizando el gestor de paquetes npm ejecutando el comando `npm install sandboxjs@latest`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-23830 is a critical vulnerability in @nyariv/sandboxjs that allows attackers to bypass sandboxing due to missing mappings for AsyncFunction, potentially leading to code execution.
You are affected if you are using @nyariv/sandboxjs versions prior to 0.8.26 and rely on its sandboxing capabilities to isolate untrusted code.
Upgrade to version 0.8.26 or later of @nyariv/sandboxjs. If immediate upgrade is not possible, implement stricter input validation and sanitization.
There is currently no indication of active exploitation, but the critical severity and availability of a proof-of-concept increase the risk.
Refer to the @nyariv/sandboxjs project repository and associated security advisories for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.