CVE-2026-26954 in SandboxJS
Summary
by MITRE • 03/13/2026
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-26954 affects SandboxJS, a JavaScript sandboxing library designed to provide isolated execution environments for untrusted code. This security flaw exists in versions prior to 0.8.34 and represents a critical sandbox escape vulnerability that undermines the fundamental security guarantees of the library. The vulnerability stems from insufficient restrictions on array contents within the sandboxed environment, specifically allowing the inclusion of Function objects within arrays that should remain isolated from the host environment's execution context.
The technical implementation of this vulnerability exploits the ability to manipulate array contents to include Function objects, which when combined with the Object.fromEntries API enables attackers to construct malicious property descriptors. This construction allows the creation of {[p]: Function} objects where p represents any constructible property within the JavaScript environment. The flaw essentially creates a pathway for bypassing sandbox boundaries by leveraging the inherent capabilities of JavaScript's prototype chain and property descriptor mechanisms. The vulnerability is classified under CWE-242 due to the use of an inherently dangerous function that can lead to arbitrary code execution.
The operational impact of this vulnerability is severe as it enables attackers to escape the sandboxed execution environment and gain access to the host system's functionality. Once an attacker successfully exploits this vulnerability, they can execute arbitrary JavaScript code with the privileges of the sandboxed environment, potentially leading to full system compromise. The attack vector is particularly concerning because it leverages standard JavaScript APIs that are commonly available in sandboxed contexts, making the exploitation relatively straightforward and difficult to detect. This vulnerability directly aligns with ATT&CK technique T1059.007 for JavaScript execution and T1566 for phishing with a sandbox escape payload.
The fix implemented in version 0.8.34 addresses this vulnerability by introducing proper sanitization of array contents within the sandboxing mechanism. The patch ensures that Function objects cannot be included in arrays that would otherwise be accessible to the sandboxed code, thereby preventing the construction of malicious property descriptors. Organizations using SandboxJS should immediately upgrade to version 0.8.34 or later to mitigate this risk, as the vulnerability allows for complete bypass of sandbox security controls and can lead to unauthorized access to sensitive data and system resources. The mitigation strategy should also include monitoring for any suspicious execution patterns that might indicate attempted exploitation of this vulnerability, particularly around array manipulation and property descriptor construction activities within sandboxed contexts.