CVE-2026-25520
SandboxJS Pre-0.8.29 Prototype Pollution Enables Code Execution
Publication date: 2026-02-06
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nyariv | sandboxjs | to 0.8.29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25520 is a critical sandbox escape vulnerability in the SandboxJS JavaScript sandboxing library affecting versions up to 0.8.28. The issue arises because the return values of functions executed within the sandbox are not properly wrapped or sanitized. This flaw allows attackers to use JavaScript methods like Object.values or Object.entries to retrieve an array containing the host environmentβs native Function constructor. By accessing this constructor via Array.prototype.at, attackers can execute arbitrary code outside the sandbox environment.
This vulnerability enables chaining of function calls to bypass most validation and sanitization mechanisms, leading to remote code execution (RCE) on the host system without any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows an attacker to completely escape the sandbox and execute arbitrary code on the host system remotely. Since no privileges or user interaction are required, an attacker can gain full control over the affected system.
- Remote Code Execution (RCE) on the host system.
- Full system compromise including confidentiality, integrity, and availability breaches.
- Potential execution of arbitrary commands such as accessing system files or running malicious processes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your system is running a vulnerable version of the SandboxJS library (versions up to and including 0.8.28). Since the vulnerability allows execution of arbitrary code via the exposed Function constructor, one way to detect exploitation attempts is to monitor for unusual or unauthorized execution of commands that could be triggered through this vector.'}, {'type': 'paragraph', 'content': "A practical detection approach involves looking for suspicious JavaScript code that uses Object.values or Object.entries combined with Array.prototype.at to access the host's Function constructor within sandboxed environments."}, {'type': 'paragraph', 'content': 'For example, monitoring logs or sandboxed JavaScript execution for patterns similar to the following proof-of-concept commands could help identify exploitation attempts:'}, {'type': 'list_item', 'content': '`Object.values(sandboxedObject).at(0)` to access the Function constructor.'}, {'type': 'list_item', 'content': "Execution of commands like `process.getBuiltinModule('child_process').execSync('ls -lah')` via the exposed Function constructor."}, {'type': 'paragraph', 'content': 'On the system level, you can use commands to check the installed version of SandboxJS, for example, by running:'}, {'type': 'list_item', 'content': '`npm list @nyariv/sandboxjs`'}, {'type': 'list_item', 'content': '`npm ls @nyariv/sandboxjs`'}, {'type': 'paragraph', 'content': 'If the version is 0.8.28 or earlier, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade the SandboxJS package to version 0.8.29 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "This update hardens the sandbox environment by properly wrapping return values of functions and restricting access to the host's Function constructor, preventing arbitrary code execution."}, {'type': 'paragraph', 'content': 'Additional mitigation steps include:'}, {'type': 'list_item', 'content': 'Review and restrict the use of unsafe JavaScript methods such as Object.values, Object.entries, and Array.prototype.at within sandboxed code.'}, {'type': 'list_item', 'content': "Monitor sandboxed environments for suspicious activity or attempts to access the host environment's Function constructor."}, {'type': 'list_item', 'content': 'Apply security best practices such as running sandboxed code with least privilege and isolating sandbox environments.'}] [1, 2]