Lucene search
K

139 matches found

Positive Technologies
Positive Technologies
added 2026/02/02 12:0 a.m.5 views

PT-2026-6406

Summary SandboxJS does not properly restrict lookupGetter which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. Details https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.tsL368-L398 The Object...

10CVSS5.9AI score0.01091EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/02/02 12:0 a.m.6 views

SandboxJS 代码注入漏洞

SandboxJS is a security assessment tool developed by nyariv. Versions of SandboxJS prior to 0.8.27 contained a code injection vulnerability. This vulnerability stemmed from improper restrictions on lookupGetter, which could lead to sandbox escape or remote code execution...

10CVSS6.1AI score0.01091EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/01/28 12:0 a.m.4 views

SandboxJS security vulnerability

SandboxJS is a security assessment tool developed by nyariv. Versions of SandboxJS prior to 0.8.26 contained security vulnerabilities. These vulnerabilities stemmed from the lack of isolation of AsyncFunctions within SandboxFunctions, which could lead to sandbox escapes and remote code execution...

10CVSS6.2AI score0.01122EPSS
Exploits1References2
CVE
CVE
added 2026/01/27 11:32 p.m.29 views

CVE-2026-23830

SandboxJS (pre-0.8.26) contains a sandbox escape where AsyncFunction (and related constructors) are not isolated in SandboxFunction. The safe-replacement map omits AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction, so accessing an async function’s .constructor can yield the native host...

10CVSS6.3AI score0.01122EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/27 11:32 p.m.8 views

CVE-2026-23830

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction. The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version...

10CVSS6.3AI score0.01122EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/01/27 7:55 p.m.20 views

SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor

Summary A sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction Details The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version SandboxFunction. This is handled in utils.ts by mapping Function to...

10CVSS6.3AI score0.01122EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/01/27 7:55 p.m.8 views

Improper Control of Dynamically-Managed Code Resources

Overview @nyariv/sandboxjs is a Javascript sandboxing library. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the AsyncFunction constructor not being properly isolated in the sandboxing function. An attacker can execute arbitrary cod...

10CVSS6.2AI score0.01122EPSS
Exploits1References3
vulnersOsv
vulnersOsv
added 2026/01/27 7:55 p.m.7 views

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-23830 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-23830 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15123975...

10CVSS5.8AI score0.01122EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/01/27 7:55 p.m.6 views

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-23830 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-23830 Source advisory: OSV:GHSA-WXHW-J4HC-FMQ6...

10CVSS5.8AI score0.01122EPSS
Exploits1
Veracode
Veracode
added 2025/08/14 7:46 a.m.6 views

Prototype Pollution

@nyariv/sandboxjs is vulnerable to prototype pollution. The vulnerability is due to insufficient prototype access checks in the sandbox’s executor logic, particularly when handling JavaScript function objects, which allows an attacker to inject arbitrary properties into Object.prototype...

7CVSS7AI score0.00203EPSS
Exploits0References6Affected Software1
vulnersOsv
vulnersOsv
added 2025/07/31 3:35 p.m.6 views

@mieweb/wikigdrive (>=2.15.0 <=2.17.1), @nyariv/scopejs (>=0.2.0 <=0.2.2) potentially affected by CVE-2025-34146 via @nyariv/sandboxjs (>=0.5.3 <=0.8.23)

@nyariv/sandboxjs NPM version =0.5.3, =2.15.0, =0.2.0, =0.2.2 Source cves: CVE-2025-34146 Source advisory: OSV:GHSA-9QM3-6QRR-C76M...

7CVSS5.8AI score0.00203EPSS
Exploits0
OSV
OSV
added 2025/07/31 3:15 p.m.5 views

CVE-2025-34146

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

7CVSS6AI score0.00203EPSS
Exploits0References4
NVD
NVD
added 2025/07/31 3:15 p.m.5 views

CVE-2025-34146

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

7CVSS0.00203EPSS
Exploits0References4
CVE
CVE
added 2025/07/31 2:59 p.m.23 views

CVE-2025-34146

CVE-2025-34146 affects @nyariv/sandboxjs

7CVSS6.9AI score0.00203EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/07/31 2:59 p.m.8 views

CVE-2025-34146 nyariv sandboxjs 0.8.23 Prototype Pollution Sandbox Escape DoS

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

7CVSS0.00203EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2025/07/31 2:59 p.m.6 views

CVE-2025-34146

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

7CVSS6AI score0.00203EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/07/31 2:59 p.m.3 views

CVE-2025-34146 nyariv sandboxjs 0.8.23 Prototype Pollution Sandbox Escape DoS

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

7CVSS6.8AI score0.00203EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2025/04/12 7:7 a.m.9 views

@mieweb/wikigdrive (>=2.15.0 <=2.17.1), @nyariv/scopejs (>=0.2.0 <=0.2.2) potentially affected by CVE-2025-34146 via @nyariv/sandboxjs (>=0.5.3 <=0.8.23)

@nyariv/sandboxjs NPM version =0.5.3, =2.15.0, =0.2.0, =0.2.2 Source cves: CVE-2025-34146 Source advisory: SNYK:JS-NYARIVSANDBOXJS-10361588...

7CVSS5.8AI score0.00203EPSS
Exploits0
Snyk
Snyk
added 2025/04/12 7:7 a.m.3 views

Prototype Pollution

Overview @nyariv/sandboxjs is a Javascript sandboxing library. Affected versions of this package are vulnerable to Prototype Pollution which can cause a Denial of Service and potentially escape sandbox via injecting arbitrary properties. Details Prototype Pollution is a vulnerability affecting...

9.1CVSS6.7AI score0.00203EPSS
Exploits0References2
Rows per page
Query Builder