CVE-2026-25641
Sandbox Escape in SandboxJS Before 0.8.29 Allows Code Bypass
Publication date: 2026-02-06
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nyariv | sandboxjs | to 0.8.29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25641 is a critical sandbox escape vulnerability in the SandboxJS JavaScript sandboxing library versions prior to 0.8.29. The issue arises from a mismatch between the key used for validation and the key used for property access. Although the key parameter is annotated as a string, this is not enforced, allowing attackers to pass malicious objects that coerce to different string values at different times.'}, {'type': 'paragraph', 'content': "Specifically, an attacker can craft an object whose string conversion returns one value during the validation phase (e.g., when checked with hasOwnProperty) and a different value during the actual property access. This discrepancy allows bypassing the sandbox's security checks, enabling the attacker to escape the sandbox."}, {'type': 'paragraph', 'content': "A proof-of-concept shows how an attacker can modify the prototype of a Map object inside the sandbox and execute arbitrary code such as running system commands via Node.js's child_process.execSync."}] [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to escape the sandbox environment and execute arbitrary code on the host system.
- Remote code execution without any privileges or user interaction.
- Full compromise of confidentiality, integrity, and availability of the affected system.
- Potential unauthorized access to sensitive data and system resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a sandbox escape in SandboxJS versions prior to 0.8.29 due to a TOCTOU bug with property key validation and access. Detection involves identifying if your system is running a vulnerable version of the @nyariv/sandboxjs package (version 0.8.28 or earlier).
You can check the installed version of SandboxJS in your project by running the following command in your project directory:
- npm list @nyariv/sandboxjs
If the version is 0.8.28 or earlier, your system is vulnerable. Additionally, monitoring for unusual or unauthorized execution of code within the sandbox environment, especially attempts to access or modify prototype properties, may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the @nyariv/sandboxjs package to version 0.8.29 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, consider restricting or monitoring code execution within the sandbox environment to prevent untrusted code from running, as this vulnerability allows remote code execution via sandbox escape.
Additionally, review and apply any security advisories or patches provided by the maintainers and monitor your systems for suspicious activity related to sandbox usage.