sandbox 2.0.0-alpha5

Direct Vulnerabilities

Known vulnerabilities in the sandbox package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Arbitrary Code Execution sandbox is a nifty javascript sandbox for node.js. Affected versions of this package are vulnerable to Arbitrary Code Execution through `this.constructor.constructor`. An attacker can execute arbitrary code in the system by evaluating payloads that have access to the main context, such as `this.constructor.constructor('return process.env')()`. Note: In June 2025, Vercel announced the launch of their Sandbox SDK and later, on 2025-10-15, Vercel claimed the name "Sandbox" for the npm package previously maintained by Gianni Chiappetta. This vulnerability concerns the original package, not the Vercel Sandbox. How to fix Arbitrary Code Execution? Upgrade `sandbox` to version 1.0.0-beta.1, 2.0.0 or higher.	<1.0.0-beta.1>=2.0.0-alpha2 <2.0.0
C Arbitrary Code Execution sandbox is a nifty javascript sandbox for node.js. Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to escape the sandbox by using a combination of functions and constructors, allowing an attacker to gain access to a process with root permissions and load modules of their choosing to execute malicious code. Note: In June 2025, Vercel announced the launch of their Sandbox SDK and later, on 2025-10-15, Vercel claimed the name "Sandbox" for the npm package previously maintained by Gianni Chiappetta. This vulnerability concerns the original package, not the Vercel Sandbox. How to fix Arbitrary Code Execution? Upgrade `sandbox` to version 1.0.0-beta.1, 2.0.0 or higher.	<1.0.0-beta.1>=2.0.0-alpha2 <2.0.0

Vulnerability

Vulnerable Version

Arbitrary Code Execution

sandbox is a nifty javascript sandbox for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Execution through this.constructor.constructor. An attacker can execute arbitrary code in the system by evaluating payloads that have access to the main context, such as this.constructor.constructor('return process.env')().

Note: In June 2025, Vercel announced the launch of their Sandbox SDK and later, on 2025-10-15, Vercel claimed the name "Sandbox" for the npm package previously maintained by Gianni Chiappetta. This vulnerability concerns the original package, not the Vercel Sandbox.

How to fix Arbitrary Code Execution?

Upgrade sandbox to version 1.0.0-beta.1, 2.0.0 or higher.

<1.0.0-beta.1>=2.0.0-alpha2 <2.0.0

Arbitrary Code Execution

sandbox is a nifty javascript sandbox for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to escape the sandbox by using a combination of functions and constructors, allowing an attacker to gain access to a process with root permissions and load modules of their choosing to execute malicious code.

How to fix Arbitrary Code Execution?

Upgrade sandbox to version 1.0.0-beta.1, 2.0.0 or higher.

<1.0.0-beta.1>=2.0.0-alpha2 <2.0.0

sandbox@2.0.0-alpha5

Command line interface for Vercel Sandbox

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically