PT-2026-21804

Name of the Vulnerable Software and Affected Versions Wasmtime versions 39.0.0 through 41.0.3 Description Wasmtime, a runtime for WebAssembly, can experience a panic when the host embedder drops the future returned by wasmtime::component::TypedFunc::call async before it resolves, and then calls t...

Remote Code Execution (RCE)

SandboxJS is vulnerable to Remote Code Execution RCE. The vulnerability is due to missing isolation and replacement of AsyncFunction and related function constructors, which allows an attacker to access the native host AsyncFunction via the .constructor property and execute arbitrary code outside...

CVE-2026-23830

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction. The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version...

CVE-2026-23830

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction. The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version...

CVE-2026-23830 SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction. The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version...

GHSA-WXHW-J4HC-FMQ6 SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor

Summary A sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction Details The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version SandboxFunction. This is handled in utils.ts by mapping Function to...

SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor

Summary A sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction Details The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version SandboxFunction. This is handled in utils.ts by mapping Function to...

PT-2026-5036

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.26 Description SandboxJS, a JavaScript sandboxing library, has a flaw where the AsyncFunction constructor is not properly isolated within the SandboxFunction. The library aims to secure code execution by replaci...

OSV-2025-524 Heap-buffer-overflow in JS_CallInternal

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=429330008 Crash type: Heap-buffer-overflow READ 1 Crash state: JSCallInternal asyncfuncresume jsasyncfunctionresume...

OSV-2025-404 Use-of-uninitialized-value in JS_FreeRuntime

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=419346940 Crash type: Use-of-uninitialized-value Crash state: JSFreeRuntime fuzzeval.c asyncfuncinit...

PT-2025-21907 · Git +1 · Quickjs

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. affected versions not specified Description: The software suffers from a use-of-uninitialized-value issue. The crash state involves JS FreeRuntime, occurring within fuzz eval.c during async func init...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free due to incorrect garbage collection of async functions with closures. An attacker can execute arbitrary code by exploiting this vulnerability. Remediation A fix was pushed into the master branch but not yet published...

Authentication flaw

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await t...

CVE-2022-31013 Authentication bypass in Vartalap chat-server

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await t...

CVE-2022-31013 Authentication bypass in Vartalap chat-server

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await t...

Denial Of Service (DoS)

@worker-tools/stripe-webhook is vulnerable to denial of service. The verifyHeader is not an async function in the webhook and causes an error to be thrown after the request has finished...

Sandbox Breakout / Arbitrary Code Execution in value-censorship

All versions of value-censorship are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to validate async function constructors allowing attackers to execute arbitrary code. Recommendation No fix is currently available. Consider using an alternative package until a f...