GHSA-gc25-3vc5-2jf9

Source

https://github.com/advisories/GHSA-gc25-3vc5-2jf9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-gc25-3vc5-2jf9/GHSA-gc25-3vc5-2jf9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gc25-3vc5-2jf9

Published

2020-09-04T15:00:58Z

Modified

2026-02-03T17:47:48.619460Z

Summary

Sandbox Breakout / Arbitrary Code Execution in sandbox

Details

All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload this.constructor.constructor('return process.env')() prints the contents of process.env.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific

{
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:54:57Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
}

References

https://www.npmjs.com/advisories/1318

Affected packages

npm / sandbox

Package

Name: sandbox; View open source insights on deps.dev
Purl: pkg:npm/sandbox

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-gc25-3vc5-2jf9/GHSA-gc25-3vc5-2jf9.json"

last_known_affected_version_range

"< 1.0.0"