GHSA-gc25-3vc5-2jf9: Sandbox Breakout / Arbitrary Code Execution in sandbox

September 4, 2020 (updated February 2, 2026)

All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload this.constructor.constructor('return process.env')() prints the contents of process.env.

References

github.com/advisories/GHSA-gc25-3vc5-2jf9
www.npmjs.com/advisories/1318

Code Behaviors & Features

Detect and mitigate GHSA-gc25-3vc5-2jf9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →