GHSA-fm4j-4xhm-xpwx: Sandbox Breakout / Arbitrary Code Execution in sandbox

September 2, 2020 (updated February 2, 2026)

All versions of sandbox through 0.8.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. Due to insufficient input sanitization it is possible to escape the sandbox using constructors.

References

github.com/advisories/GHSA-fm4j-4xhm-xpwx
github.com/gf3/sandbox/issues/50
www.npmjs.com/advisories/766

Code Behaviors & Features

Detect and mitigate GHSA-fm4j-4xhm-xpwx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →