SandboxJS is a JavaScript sandboxing library designed to safely execute untrusted code by replacing the global Function constructor with a sandboxed version called SandboxFunction. However, in versions prior to 0.8.26, the library failed to similarly replace or isolate other function constructors such as AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction. These constructors are not globally accessible but can be obtained via the .constructor property of function instances, for example, by evaluating (async () => {}).constructor. When sandboxed code accesses the .constructor property on an async function, the executor returns the native host AsyncFunction constructor because it was not mapped to a sandboxed equivalent. This native constructor allows creation of new asynchronous functions that execute in the global scope outside the sandbox's control. Consequently, an attacker can craft code that escapes the sandbox environment, bypassing all restrictions and gaining remote code execution (RCE) capabilities on the host system. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), CWE-693 (Protection Mechanism Failure), and CWE-913 (Improper Control of Dynamically-Managed Code Resources). The issue was publicly disclosed and assigned CVE-2026-23830 with a maximum CVSS 3.1 score of 10.0, reflecting its criticality. The vulnerability requires no privileges or user interaction to exploit and affects all versions of SandboxJS before 0.8.26. The patch in version 0.8.26 addresses this by including AsyncFunction and related constructors in the sandboxed function map, preventing escape via .constructor property access.

For European organizations, this vulnerability poses a severe risk, especially those relying on SandboxJS to safely execute third-party or user-generated JavaScript code in web applications, serverless functions, or development tools. Exploitation leads to full remote code execution on the host environment, potentially allowing attackers to steal sensitive data, disrupt services, deploy malware, or pivot within internal networks. The critical nature of the vulnerability means that any exposed service using vulnerable SandboxJS versions is at immediate risk of compromise. Given the widespread use of JavaScript sandboxing in cloud services, SaaS platforms, and development environments, the impact could be broad, affecting confidentiality, integrity, and availability of systems. Organizations in sectors with high regulatory requirements such as finance, healthcare, and critical infrastructure in Europe face heightened consequences including data breaches and compliance violations. The lack of known exploits in the wild does not diminish the urgency due to the ease of exploitation and the critical severity score.

European organizations should immediately audit their software supply chain and internal applications to identify any usage of SandboxJS versions prior to 0.8.26. The primary mitigation is to upgrade all instances of SandboxJS to version 0.8.26 or later, which patches the vulnerability by properly sandboxing AsyncFunction and related constructors. If upgrading is not immediately feasible, organizations should implement strict input validation and sandbox usage restrictions to limit exposure to untrusted code execution. Employ runtime monitoring and anomaly detection to identify suspicious behavior indicative of sandbox escape attempts. Additionally, isolate environments running sandboxed code with strict network segmentation and least privilege principles to contain potential breaches. Security teams should also review dependency management practices to ensure timely patching of third-party libraries. Finally, consider applying Web Application Firewalls (WAFs) and endpoint detection and response (EDR) solutions to detect and block exploitation attempts.