CVE-2026-25881

CRITICAL EPSS 41.9%
Published Feb 9, 20264mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Critical
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.

CVSS Details

Base Score
10.0
Exploitability
3.9
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
41.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1321

Affected Products 1

VendorProductVersionRange
nyarivsandboxjs* <0.8.31

References 2

  • github.com https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53
    Patch
  • github.com https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53
    Patch