CVE-2026-25641
Unknown Unknown - Not Provided
Sandbox Escape in SandboxJS Before 0.8.29 Allows Code Bypass

Publication date: 2026-02-06

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25641
EUVD
EUVD-2026-5589
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nyariv sandboxjs to 0.8.29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25641 is a critical sandbox escape vulnerability in the SandboxJS JavaScript sandboxing library versions prior to 0.8.29. The issue arises from a mismatch between the key used for validation and the key used for property access. Although the key parameter is annotated as a string, this is not enforced, allowing attackers to pass malicious objects that coerce to different string values at different times.'}, {'type': 'paragraph', 'content': "Specifically, an attacker can craft an object whose string conversion returns one value during the validation phase (e.g., when checked with hasOwnProperty) and a different value during the actual property access. This discrepancy allows bypassing the sandbox's security checks, enabling the attacker to escape the sandbox."}, {'type': 'paragraph', 'content': "A proof-of-concept shows how an attacker can modify the prototype of a Map object inside the sandbox and execute arbitrary code such as running system commands via Node.js's child_process.execSync."}] [2]

Impact Analysis

This vulnerability can have severe impacts as it allows remote attackers to escape the sandbox environment and execute arbitrary code on the host system.

  • Remote code execution without any privileges or user interaction.
  • Full compromise of confidentiality, integrity, and availability of the affected system.
  • Potential unauthorized access to sensitive data and system resources.
Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a sandbox escape in SandboxJS versions prior to 0.8.29 due to a TOCTOU bug with property key validation and access. Detection involves identifying if your system is running a vulnerable version of the @nyariv/sandboxjs package (version 0.8.28 or earlier).

You can check the installed version of SandboxJS in your project by running the following command in your project directory:

  • npm list @nyariv/sandboxjs

If the version is 0.8.28 or earlier, your system is vulnerable. Additionally, monitoring for unusual or unauthorized execution of code within the sandbox environment, especially attempts to access or modify prototype properties, may indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the @nyariv/sandboxjs package to version 0.8.29 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, consider restricting or monitoring code execution within the sandbox environment to prevent untrusted code from running, as this vulnerability allows remote code execution via sandbox escape.

Additionally, review and apply any security advisories or patches provided by the maintainers and monitor your systems for suspicious activity related to sandbox usage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart