CVE-2022-23923: 
JavaScript vulnerability analysis and mitigation

All versions of the jailed package, a small JavaScript library for running untrusted code in a sandbox, are vulnerable to Sandbox Bypass via an exported alert() method which can access the main application. The vulnerability was discovered and disclosed on February 2, 2022, and was assigned CVE-2022-23923. The vulnerability affects all versions of the package with no fixed version available (Snyk DB).

The vulnerability exists because exported methods are stored in the application.remote object, which can be exploited to bypass sandbox restrictions. The vulnerability has a CVSS v3.1 base score of 8.6 (High) according to Snyk's assessment, with Network attack vector, Low attack complexity, and No privileges required. The vulnerability allows attackers to bypass the sandbox restrictions and access the main application through the exported alert() method (Snyk DB).

The successful exploitation of this vulnerability can lead to a total loss of confidentiality, with all resources within the impacted component being potentially exposed to the attacker. The vulnerability also allows for some modification of data, though with limited control over the consequences, and can cause partial interruptions in resource availability (Snyk DB).

There is currently no fixed version available for the jailed package. No official workarounds have been published (Snyk DB).