SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal …

SandboxJS JavaScript sandboxing library contains a critical sandbox escape vulnerability in versions prior to 0.9.6. The vulnerability allows sandboxed code to exploit Function.caller exposure in sandbox-defined functions to recover internal LispType.Call runtime callbacks. Attackers can invoke these callbacks with malicious context and object values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript code, completely bypassing sandbox protections. This represents a complete sandbox escape that could lead to arbitrary code execution in the host environment. The vulnerability has been patched in version 0.9.6.