CVE-2026-23830 – SandboxJS versions before 0.8.26 have a critica... (How to Fix)

Q: What is the severity of CVE-2026-23830?

CVE-2026-23830 has a CVSS score of 10.0 (CRITICAL). SandboxJS versions before 0.8.26 have a critical sandbox escape vulnerability that allows attackers to execute arbitrary code outside the sandbox context. This occurs because AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction constructors weren't properly isolated, enabling attackers to access the host environment's native constructors. Any application using vulnerable SandboxJS versions for JavaScript sandboxing is affected.

📋 TL;DR

SandboxJS versions before 0.8.26 have a critical sandbox escape vulnerability that allows attackers to execute arbitrary code outside the sandbox context. This occurs because AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction constructors weren't properly isolated, enabling attackers to access the host environment's native constructors. Any application using vulnerable SandboxJS versions for JavaScript sandboxing is affected.

💻 Affected Systems

Products:

SandboxJS

Versions: All versions prior to 0.8.26

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use SandboxJS to execute untrusted JavaScript code. The vulnerability exists in the library itself, not dependent on specific configurations.

📦 What is this software?

Sandboxjs by Nyariv

View all CVEs affecting Sandboxjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host environment compromise with remote code execution, allowing attackers to execute arbitrary commands, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Remote code execution within the application context, leading to data theft, privilege escalation, or complete application takeover.

🟢

If Mitigated

Limited impact if sandbox is only used for non-critical operations with minimal privileges and network access restrictions.

🌐 Internet-Facing: HIGH - Web applications using SandboxJS to execute user-provided JavaScript are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept available in the security advisory. Exploitation requires the ability to execute JavaScript within the sandbox, which is typically available to users in affected applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.26

Vendor Advisory: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6

Restart Required: Yes

Instructions:

1. Update SandboxJS dependency to version 0.8.26 or later
2. Update package.json: "sandboxjs": "^0.8.26"
3. Run npm update sandboxjs or yarn upgrade sandboxjs
4. Restart the application to load the updated library

🔧 Temporary Workarounds

Disable sandbox execution

all

Temporarily disable execution of untrusted JavaScript through SandboxJS until patching is complete

// In application code, disable sandbox execution or implement alternative validation

🧯 If You Can't Patch

Implement strict input validation to prevent malicious JavaScript from reaching the sandbox
Run the application with minimal privileges and network restrictions to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/sandboxjs/package.json for version number less than 0.8.26

Check Version:

npm list sandboxjs | grep sandboxjs

Verify Fix Applied:

Verify SandboxJS version is 0.8.26 or higher and test sandbox execution with known exploit patterns

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Attempts to access AsyncFunction or similar constructors
Unexpected process spawns or network connections from application

Network Indicators:

Outbound connections from application to unexpected destinations
Unusual data exfiltration patterns

SIEM Query:

process.name:"node" AND (process.cmdline:"AsyncFunction" OR process.cmdline:"GeneratorFunction")

📊 Metadata

CVE ID: CVE-2026-23830

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.13% exploit probability (32.2th percentile)

Published: January 28, 2026

Last Updated: February 12, 2026

🔗 References

https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd Patch
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23830, you might also want to check these: