CVE-2026-25142
Prototype Pollution via __lookupGetter__ in SandboxJS Allows RCE
Publication date: 2026-02-02
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nyariv | sandboxjs | to 0.8.27 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SandboxJS versions prior to 0.8.27 involves improper restriction of the __lookupGetter__ method. This method can be exploited to obtain prototypes, which attackers can use to escape the sandbox environment and potentially execute remote code.
How can this vulnerability impact me? :
The vulnerability can lead to a complete compromise of the sandbox environment, allowing attackers to execute arbitrary remote code. This can result in full system compromise, data theft, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade SandboxJS to version 0.8.27 or later, as this version fixes the vulnerability related to improper restriction of __lookupGetter__.