SandboxJS is a JavaScript sandboxing library designed to safely execute untrusted code by restricting access to dangerous functions and objects. Versions prior to 0.8.34 contain a critical vulnerability (CVE-2026-26954) classified under CWE-94 (Improper Control of Generation of Code, i.e., code injection). The vulnerability arises because it is possible to obtain arrays containing the JavaScript Function constructor within the sandboxed environment. By combining this with Object.fromEntries, an attacker can dynamically construct an object with a property whose value is the Function constructor, effectively allowing the execution of arbitrary code outside the sandbox constraints. This sandbox escape leads to a complete bypass of the security model, enabling attackers to run malicious code with the privileges of the host environment. The vulnerability requires no authentication or user interaction and can be exploited remotely if the sandbox is exposed to untrusted inputs. The issue was addressed and fixed in SandboxJS version 0.8.34 by preventing access to the Function constructor within arrays and restricting the use of Object.fromEntries in this context.

The impact of this vulnerability is severe and far-reaching. Exploitation allows attackers to execute arbitrary code on the host system, leading to full compromise of confidentiality, integrity, and availability. This could result in data theft, unauthorized system control, deployment of malware or ransomware, and disruption of critical services. Organizations using SandboxJS to isolate untrusted JavaScript code, such as in web applications, serverless functions, or embedded scripting environments, are at risk. The vulnerability's ease of exploitation (no authentication or user interaction required) and the critical nature of sandbox escapes make it a high-priority threat. If exploited in environments processing sensitive or critical workloads, the consequences could include significant financial loss, reputational damage, and regulatory penalties.

To mitigate this vulnerability, organizations should immediately upgrade all SandboxJS deployments to version 0.8.34 or later, where the issue is fixed. Additionally, review and audit any custom sandboxing or code execution controls to ensure they do not expose similar weaknesses. Implement strict input validation and sanitization to reduce the risk of malicious payloads reaching the sandbox. Employ runtime monitoring and anomaly detection to identify suspicious code execution patterns indicative of sandbox escapes. Where possible, isolate sandboxed environments using containerization or virtual machines to limit the blast radius of potential exploits. Finally, maintain an up-to-date inventory of all software components and dependencies to facilitate rapid patching of critical vulnerabilities.