sandbox-escape
Safeguard articles tagged "sandbox-escape" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Claw Chain: Four Chained CVEs Turn 245,000 OpenClaw Agents Into Backdoors (May 2026)
Cyera disclosed four chainable flaws in OpenClaw on May 15, 2026 that take an autonomous agent from prompt injection to credential theft, privilege escalation, and a persistent backdoor. Roughly 245,000 instances sit exposed on the internet.
WebAssembly (WASM) security considerations
A 2018 WASM cryptominer hit 4,275+ websites in a day. Learn WebAssembly's real security risks, from memory bugs to supply chain blind spots.
Security concerns of using the Node.js VM module as a sandbox
Node's vm module and vm2 were never a security boundary. Four critical CVEs and a 2023 deprecation prove why untrusted-code sandboxes need real isolation.
CrewAI Sandbox Escape: Four CVEs That Chain Through Prompt Injection
Cyata disclosed four CrewAI vulnerabilities in early 2026 that chain through prompt injection to RCE, SSRF, and arbitrary file read. The Docker-fallback design pattern is the root cause.
Jinja2 sandbox escape (CVE-2022-29361)
CVE-2022-29361 lets attackers bypass Jinja2's SandboxedEnvironment via str.format, reaching unsafe attributes and risking RCE in untrusted-template apps.
Analysis of documented WebAssembly sandbox escape vulnera...
Real documented WASM sandbox escape cases in Wasmtime and Wasmer, covering affected versions, severity, disclosure timelines, and how to remediate.
CVE-2023-32314: Sandbox escape in vm2
CVE-2023-32314 let attackers escape the vm2 Node.js sandbox for remote code execution. Here's the CVSS 10.0 flaw, affected versions, timeline, and fixes.
CVE-2023-30547: Sandbox escape via Node custom inspect in...
CVE-2023-30547 lets attackers escape the vm2 Node.js sandbox via a crafted custom inspect method, achieving host code execution. Here's the impact, timeline, and fix.
CVE-2023-37466: Remote code execution via vm2 sandbox escape
A critical vm2 sandbox escape (CVE-2023-37466) lets untrusted JavaScript break out to achieve remote code execution on the host Node.js process.
What Is vm2? The Node.js Sandbox and Its Security History
vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.
A History of Browser Sandbox Escapes and What They Teach Us
Browser sandboxes are the last line of defense against web-based attacks. When they fail, everything is exposed. Here is what the major escapes reveal.