Sandbox Bypass

Vulnerability

The realms-shim package, in all versions, is vulnerable to a Sandbox Bypass via a Prototype Pollution attack vector. The shim implements an outdated Realm API proposal, which does not provide isolation or security properties without either freezing intrinsics or hiding them behind a Membrane. The shim provides no mechanism to do either, allowing prototype pollution when two mutually-suspicious Realms communicate [1][3]. The affected versions are all releases of the package, which is now considered obsolete and insecure [1].

Exploitation

An attacker can exploit this vulnerability by injecting properties into the JavaScript language construct prototypes, such as __proto__, constructor, or prototype. This is typically achieved through unsafe object recursive merge or property definition by path [3]. For the attack to succeed, objects must leak between Realms; the attacker does not require authentication or special privileges, only the ability to supply a crafted object to an evaluated code path within a Realm [1][3]. Once the polluting object is processed, the malicious properties are inherited by all JavaScript objects via the prototype chain.

Impact

Successful exploitation allows an attacker to bypass the sandbox provided by the Realm shim. This can lead to denial of service by triggering JavaScript exceptions, or tampering with application source code to force a code path that the attacker injects, potentially leading to remote code execution [3]. The attacker can pollute the globals or intrinsics of another Realm, compromising the integrity and confidentiality of the entire JavaScript environment [1].

Mitigation

The realms-shim package is obsolete and insecure, and no fix is planned. Users should migrate to alternative isolation tools such as Endo and the related SES/HardenedJS environment, which provide lockdown() to tame the environment at startup and the Compartment constructor for creating secure evaluation compartments [1]. Alternatively, adopt the ShadowRealm proposal, which defines a callable boundary that prevents object passing, mitigating prototype pollution risks [1].