CVE-2026-25881

Critical CVSS: 9.0

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.

Vendor

Nyariv

Product

Sandboxjs

CWE

CWE-1321

Yayın Tarihi

2026-02-09 22:16:03

Güncelleme

2026-02-18 18:07:12

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-1321 Sandboxjs CRITICAL Nyariv 2026

Referanslar

https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj

Benzer Kayıtlar

Medium

CVE-2026-32723

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global…

Critical

CVE-2026-26954

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, whic…

Critical

CVE-2026-25641

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch…

Critical

CVE-2026-25520

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.val…

Critical

CVE-2026-25586

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…

Critical

CVE-2026-25587

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtain…