Login Sign Up

CVE-2023-26919

7.2 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to escape the JavaScript sandbox in delight-nashorn-sandbox versions 0.2.4 and 0.2.5, enabling them to invoke exit and quit methods to terminate the Java process. Applications using these vulnerable versions with allowExitFunctions set to false are affected, potentially leading to denial of service.

💻 Affected Systems

Products:
  • delight-nashorn-sandbox
Versions: 0.2.4 and 0.2.5
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when allowExitFunctions is set to false, which is a common security configuration.

📦 What is this software?

Nashorn Sandbox by Javadelight

View all CVEs affecting Nashorn Sandbox →

Nashorn Sandbox by Javadelight

View all CVEs affecting Nashorn Sandbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through Java process termination, potentially disrupting critical business functions or enabling further attacks by crashing security controls.

🟠

Likely Case

Application crashes leading to service disruption, requiring manual restart and causing temporary downtime.

🟢

If Mitigated

Limited impact if proper input validation and sandbox configuration are in place, though risk remains if vulnerable version is used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires ability to execute JavaScript within the sandbox, but the sandbox escape itself is straightforward once code execution is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.6

Vendor Advisory: https://github.com/javadelight/delight-nashorn-sandbox/issues/135

Restart Required: Yes

Instructions:

1. Update delight-nashorn-sandbox dependency to version 0.2.6 or later. 2. Update your project's build configuration (pom.xml for Maven, build.gradle for Gradle). 3. Rebuild and redeploy the application. 4. Restart affected services.

🔧 Temporary Workarounds

Disable loadWithNewGlobal function

all

Prevent use of the vulnerable loadWithNewGlobal function in sandbox configuration

Sandbox sandbox = new Sandbox();
sandbox.allowNoBraces(false);
sandbox.allowLoadFunctions(false);

🧯 If You Can't Patch

  • Implement strict input validation to prevent malicious JavaScript from reaching the sandbox
  • Deploy application behind WAF with JavaScript execution blocking rules

🔍 How to Verify

Check if Vulnerable:

Check project dependencies for delight-nashorn-sandbox version 0.2.4 or 0.2.5

Check Version:

mvn dependency:tree | grep delight-nashorn-sandbox OR gradle dependencies | grep delight-nashorn-sandbox

Verify Fix Applied:

Verify delight-nashorn-sandbox version is 0.2.6 or higher in dependencies

📡 Detection & Monitoring

Log Indicators:

  • Java process termination logs
  • Application crash logs with exit code 0
  • Unexpected service restarts

Network Indicators:

  • Sudden loss of connectivity to affected service
  • HTTP 503 errors from load balancers

SIEM Query:

source="application.logs" AND ("exit" OR "quit") AND process="java"

📊 Metadata

CVE ID: CVE-2023-26919
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CWE: CWE-74
Published: April 10, 2023
Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26919, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)