Arbitrary Code Execution Affecting sandbox package, versions <1.0.0-beta.1>=2.0.0-alpha2 <2.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-SANDBOX-16889832
- published27 May 2026
- disclosed31 Aug 2020
- creditRob Herley
Introduced: 31 Aug 2020
CVE NOT AVAILABLE CWE-94 (opens in a new tab)How to fix?
Upgrade sandbox to version 1.0.0-beta.1, 2.0.0 or higher.
Overview
sandbox is a nifty javascript sandbox for node.js.
Affected versions of this package are vulnerable to Arbitrary Code Execution through this.constructor.constructor. An attacker can execute arbitrary code in the system by evaluating payloads that have access to the main context, such as this.constructor.constructor('return process.env')().
Note: In June 2025, Vercel announced the launch of their Sandbox SDK and later, on 2025-10-15, Vercel claimed the name "Sandbox" for the npm package previously maintained by Gianni Chiappetta. This vulnerability concerns the original package, not the Vercel Sandbox.