CVE-2025-34146
BaseFortify
Publication date: 2025-07-31
Last updated on: 2025-07-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nyariv | sandboxjs | 0.8.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a prototype pollution issue in the @nyariv/sandboxjs library (versions <= 0.8.23). It allows attackers to inject arbitrary properties into JavaScript's Object.prototype by using specially crafted code. This can lead to denial-of-service (DoS) or, in some cases, allow attackers to escape the sandbox environment that is supposed to restrict code execution.
How can this vulnerability impact me? :
The vulnerability can cause denial-of-service (DoS) conditions by corrupting the prototype chain, potentially crashing or destabilizing applications using the affected library. Additionally, it may allow attackers to escape sandbox restrictions, leading to unauthorized code execution and compromising the security of the environment.