SandboxJS JavaScript sandboxing library contains a critical vulnerability prior to version 0.9.6 where sandbox-defined functions expose Function.caller, allowing sandboxed code to recover internal LispType.Call runtime callbacks. Attackers can invoke these callbacks with controlled fake context and object values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript code, effectively escaping the sandbox security boundary. This represents a complete sandbox bypass vulnerability that allows full host environment access. The vulnerability has been patched in version 0.9.6.