SandboxJS CVE-2026-43898: CVSS 10.0 Sandbox Escape Enables Full Host Takeover
Your application uses a JavaScript sandbox to safely run untrusted user code. The sandbox is supposed to be the security boundary — the wall between what users can execute and what your host system can access. On May 13, 2026, that wall collapsed for every application using the @nyariv/sandboxjs npm package version 0.9.5 or below. A critical security flaw has been found in SandboxJS, a widely used JavaScript sandboxing library available on npm. The vulnerability allows attackers to break out of the sandbox entirely and run any code they want directly on the host system. Tracked as CVE-2026-43898, it carries a maximum severity score of 10.0.
This is not a theoretical edge case. A working proof-of-concept was published alongside the advisory. If your application runs untrusted JavaScript through this library, your host system is the attack surface. Here is exactly what happened, how the escape works, and what you must do right now.
How the Sandbox Escape Works
The Leaked Internal Callback
The vulnerability lives in the property access logic inside a file called prop.ts, specifically in a function called addOps. The issue is that sandboxed code was allowed to read the caller, callee, and arguments properties on functions. In the CommonJS build of the library, this made it possible for a sandboxed function to call something like function f(){ return f.caller } and receive back the internal host-side callback that originally triggered it. That leaked callback is the LispType.Call operation, which handles function calls inside the runtime. The critical problem is that this handler accepts a params object and uses its fields directly, without checking whether those fields actually came from the trusted executor.
The root cause is a missing boundary check — the sandbox runtime trusted inputs from the sandbox-side callback without verifying their origin. This allowed attacker-controlled inputs to pass directly into host-level function execution logic.
From Leaked Callback to Full Host Takeover
By chaining a series of crafted calls through the leaked callback, an attacker can extract the real host function, the constructor. Once they have that, they can pass a string of JavaScript code and execute it directly on the host. The proof-of-concept included in the advisory demonstrates this clearly by running a system command through Node's built-in child_process module.
The exploit chain is three steps: leak the internal callback, forge parameters to extract the host Function constructor, then use it to execute arbitrary system commands. No authentication, no user interaction, no complexity barrier.
Table: CVE-2026-43898 Attack Profile
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-43898 |
| CVSS Score | 10.0 (Critical) |
| Affected Package | @nyariv/sandboxjs ≤ 0.9.5 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed (sandbox → host) |
| Impact | Full RCE on host system |
What Applications Are at Risk
Any Platform Executing Untrusted JavaScript
Any platform that uses SandboxJS to execute user-submitted or third-party JavaScript is in the line of fire. This includes online code editors, server-side scripting tools, automation platforms, and any application that processes untrusted scripts. Once the sandbox is broken, attackers gain full access to the confidentiality, integrity, and availability of the host.
The CVSS Scope metric is marked Changed — meaning a successful exploit crosses the security boundary from the isolated sandbox environment into the underlying host system. This is the most severe possible scope rating and means the attacker's ability to cause harm extends beyond the vulnerable component itself.
Affected application categories include:
- Online code execution platforms — any service letting users run JavaScript in the browser or server-side
- Low-code / no-code automation — platforms executing user-defined scripts server-side
- Plugin and extension systems — applications that allow third-party JavaScript execution
- CI/CD pipeline tools — build systems running user-supplied JavaScript test or build scripts
- SaaS platforms with scripting features — any multi-tenant application with user JavaScript execution
Patch, Mitigation, and Verification
The Fix in Version 0.9.6
A patched version, 0.9.6, has been released and is now available on npm. The fix in version 0.9.6 addresses the root cause by blocking access to the caller, callee, and arguments properties within sandboxed code. Developers who cannot update right away should avoid running any untrusted JavaScript through the affected library until the patch has been properly applied and thoroughly tested in their own environment.
Important: Updating to 0.9.6 is mandatory — not optional. If your application runs any user-supplied or third-party JavaScript through
@nyariv/sandboxjs, you are running a host takeover vulnerability in production right now on any version ≤ 0.9.5.
Table: Remediation Steps for CVE-2026-43898
| Step | Action | Priority |
|---|---|---|
| 1 | Run npm audit to identify @nyariv/sandboxjs dependency | Immediate |
| 2 | Update to @nyariv/sandboxjs ≥ 0.9.6 | Immediate |
| 3 | Disable untrusted JS execution if patch cannot be applied immediately | Emergency workaround |
| 4 | Review application logs for exploitation attempts via child_process | Forensic |
| 5 | Audit all npm dependencies for transitive @nyariv/sandboxjs usage | Within 24 hours |
| 6 | Test patched version in staging before production deployment | Before patching prod |
Key Takeaways
- Update to @nyariv/sandboxjs 0.9.6 immediately — every version ≤ 0.9.5 is a confirmed full host takeover vulnerability
- Disable untrusted JavaScript execution as an emergency interim measure if the patch cannot be applied immediately
- Audit transitive npm dependencies — your direct dependencies may pull in the affected package without your direct awareness
- Review host-level logs for anomalous
child_processexecutions that may indicate prior exploitation - Check SBOM and dependency inventories — this vulnerability demonstrates why real-time dependency visibility is operationally critical
- Treat this as a host compromise if exploitation cannot be ruled out — initiate full incident response procedures
Conclusion
CVE-2026-43898 in SandboxJS is a textbook worst-case sandbox escape — maximum severity, zero authentication required, working proof-of-concept published, and the attack result is complete host takeover. The sandbox that was supposed to be your security control became the attack surface. Version 0.9.6 closes the root cause by blocking the leaked callback properties that enabled the exploit chain, but the window between disclosure and patch deployment is your critical exposure period. If you run untrusted JavaScript through this library, assume exploitation is possible, audit your logs immediately, and patch within hours — not days.
Frequently Asked Questions
Q: What is CVE-2026-43898, and what does "sandbox escape" mean?
A: CVE-2026-43898 is a critical vulnerability in the @nyariv/sandboxjs npm package that allows an attacker to break out of the JavaScript sandbox environment and execute arbitrary code directly on the underlying host system. A sandbox escape means the isolation boundary between the untrusted execution environment and the host has been defeated, giving the attacker the same access level as the host process itself.
Q: How is the exploit carried out technically?
A: The attacker exploits a missing boundary check in the library's prop.ts file — specifically the addOps function — which accidentally allows sandboxed code to read the caller, callee, and arguments properties of functions. By leaking the internal LispType.Call callback through these properties and chaining crafted forged parameter inputs, the attacker extracts the host Function constructor and uses it to execute arbitrary Node.js system commands.
Q: Which versions are vulnerable and what is the fix?
A: All versions of @nyariv/sandboxjs up to and including version 0.9.5 are vulnerable. Version 0.9.6, released on May 13, 2026, addresses the root cause by blocking access to the caller, callee, and arguments properties within sandboxed code. Update immediately via npm install @nyariv/sandboxjs@0.9.6.
Q: What should organizations do if they cannot immediately patch? A: As an emergency interim measure, disable all untrusted JavaScript execution through the affected library until the patch is applied and tested. Do not treat restricted user inputs as a sufficient mitigation — the exploit does not depend on specific input content but on the library's internal callback exposure mechanism.
Q: How does this relate to broader npm supply chain security?
A: This vulnerability highlights the critical importance of real-time npm dependency monitoring and SBOM (Software Bill of Materials) maintenance. Many applications include @nyariv/sandboxjs as a transitive dependency — meaning they do not directly import it but inherit it through another package — making automated dependency scanning essential for rapid identification of exposure across complex application stacks.
Enjoyed this article?
Subscribe for more cybersecurity insights.