EXECUTIVE SUMMARY:
CVE-2026-43898 with a CVSS score of 10 is a critical sandbox escape vulnerability in SandboxJS, a widely used JavaScript utility for securely executing untrusted code. Impacted versions include all prior to 0.9.6, affecting users of this popular JavaScript sandboxing library. The vulnerability arises from a classic JavaScript oversight: SandboxJS creates functions using createFunction(), which generates ordinary host functions that are not sufficiently isolated. Malicious actors can exploit this by accessing Function.caller to "reach out" and grab the host-side callback that triggered it, recovering the internal LispType .Call runtime callback in the process. Once the attacker has this callback, the sandbox's protection crumbles, as it accepts parameters from the attacker without authentication checks. By providing a "fake" context, an attacker can manipulate internal primitives to recover the real host Function constructor and execute arbitrary JavaScript directly on the host machine, effectively gaining the capability to take over the entire application. If exploited, this vulnerability would allow an attacker to gain full Remote Code Execution (RCE) on the host machine, leading to a host takeover and severe business impact, including potential data breaches, financial losses, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-43898 with a CVSS score of 10 is a critical sandbox escape vulnerability in SandboxJS, a widely used JavaScript utility for securely executing untrusted code. Impacted versions include all prior to 0.9.6, affecting users of this popular JavaScript sandboxing library. The vulnerability arises from a classic JavaScript oversight: SandboxJS creates functions using createFunction(), which generates ordinary host functions that are not sufficiently isolated. Malicious actors can exploit this by accessing Function.caller to "reach out" and grab the host-side callback that triggered it, recovering the internal LispType .Call runtime callback in the process. Once the attacker has this callback, the sandbox's protection crumbles, as it accepts parameters from the attacker without authentication checks. By providing a "fake" context, an attacker can manipulate internal primitives to recover the real host Function constructor and execute arbitrary JavaScript directly on the host machine, effectively gaining the capability to take over the entire application. If exploited, this vulnerability would allow an attacker to gain full Remote Code Execution (RCE) on the host machine, leading to a host takeover and severe business impact, including potential data breaches, financial losses, and reputational damage.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update SandboxJS to version 0.9.6.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/sandboxjs-vulnerability-cve-2026-43898-rce-escape/