DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23830: Async Abyss: Escaping SandboxJS via Forgotten Constructors

#security #cve #cybersecurity

Async Abyss: Escaping SandboxJS via Forgotten Constructors

Vulnerability ID: CVE-2026-23830
CVSS Score: 9.8
Published: 2026-01-27

A critical oversight in SandboxJS allowed attackers to bypass the execution environment completely by leveraging the AsyncFunction constructor. While the standard Function constructor was proxied, its asynchronous sibling was left unguarded.

TL;DR

SandboxJS locked the front door (Function) but left the side door (AsyncFunction) wide open. By accessing the constructor of an async arrow function, attackers can instantiate code that executes in the host's context, not the sandbox, achieving instant Remote Code Execution (RCE).

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94 (Code Injection)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network
  • Impact: Full Sandbox Escape / RCE
  • Exploit Status: PoC Available
  • Affected Component: evals WeakMap / AsyncFunction Constructor

Affected Systems

  • Node.js applications using nyariv/SandboxJS
  • SaaS platforms allowing user-defined scripts via SandboxJS
  • Rule engines executing dynamic JS logic
  • SandboxJS: < Commit 345aee6 (Fixed in: Commit 345aee6)

Code Analysis

Commit: 345aee6

Fix Sandbox Escape via AsyncFunction

evals.set(AsyncFunction, asyncFunc);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: PoC involves accessing (async()=>{}).constructor to generate code outside the sandbox.

Mitigation Strategies

  • Update SandboxJS immediately to the patched version.
  • Audit sandbox implementations for missing constructor shims (AsyncFunction, GeneratorFunction).
  • Move high-risk untrusted code execution to VM-based isolation (e.g., Firecracker, gVisor) rather than relying solely on language-level sandboxes.

Remediation Steps:

  1. Check package.json for nyariv/SandboxJS dependency.
  2. Ensure version is greater than the affected range (post-January 2026 update).
  3. Verify that (async () => {}).constructor('return process') fails in your test suite.

References

Read the full report for CVE-2026-23830 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)