CVE-2026-23830
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor
Description
SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability.
INFO
Published Date :
Jan. 28, 2026, 12:15 a.m.
Last Modified :
Feb. 12, 2026, 8:47 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update SandboxJS library to version 0.8.26 or later.
- Ensure all function constructors are properly sandboxed.
Public PoC/Exploit Available at Github
CVE-2026-23830 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-23830.
| URL | Resource |
|---|---|
| https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd | Patch |
| https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6 | Exploit Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-23830 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-23830
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Go
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-23830 vulnerability anywhere in the article.
-
Daily CyberSecurity
CISA Warns of Unpatched Avation & RISS Critical Flaws
In a concerning update for the operational technology (OT) sector, the Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts for two distinct critical infrastructure devices where ... Read more
-
Daily CyberSecurity
Broadcast Hijack: Critical KiloView Flaw (CVSS 9.8) Grants Full Control
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert regarding a maximum-severity vulnerability in KiloView, a popular brand of video encoding and streaming dev ... Read more
-
Daily CyberSecurity
CVE-2026-24002: Critical Sandbox Escape Turns Grist Spreadsheets into RCE Weapons
A seemingly innocent spreadsheet formula could be the key to compromising entire organizations, thanks to a critical vulnerability uncovered by Cyera Research Labs in Grist-Core. The flaw, tracked as ... Read more
-
Daily CyberSecurity
CVE-2026-23830: Critical SandboxJS Flaw (CVSS 10) Allows Total Sandbox Escape
A perfect storm of missing checks has led to a maximum-severity vulnerability in SandboxJS, a library designed to safely execute untrusted JavaScript code. Tracked as CVE-2026-23830, the flaw carries ... Read more
-
Daily CyberSecurity
CVE-2025-14988: Critical 9.8 Vulnerability hits ibaPDA Industrial Software
A critical security vulnerability has been identified in ibaPDA, a core data acquisition system used in industrial environments to monitor and analyze process data. Tracked as CVE-2025-14988, the flaw ... Read more
The following table lists the changes that have been made to the
CVE-2026-23830 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Feb. 12, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:* versions up to (excluding) 0.8.26 Added Reference Type GitHub, Inc.: https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd Types: Patch Added Reference Type GitHub, Inc.: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6 Types: Exploit, Vendor Advisory -
New CVE Received by [email protected]
Jan. 28, 2026
Action Type Old Value New Value Added Description SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-94 Added CWE CWE-693 Added CWE CWE-913 Added Reference https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd Added Reference https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6