CRITICAL🇵🇱 Wersja polska

CVE-2026-25520

CVSS 10.0v3.1pub. 2026-02-06upd. 2026-02-18

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.

🤖 AI Analysis
How it works

Return values from functions inside the sandbox are not wrapped into safe equivalents. An attacker can use Object.values or Object.entries methods to obtain an array containing the host's Function constructor. Subsequently, using the Array.prototype.at method, it is possible to extract this constructor and use it to build and execute arbitrary JavaScript code outside the controlled sandbox environment. This is a classic injection scenario (CWE-74) leading to full RCE on the host side.

Impact

An attacker can execute arbitrary JavaScript code outside the sandbox in the context of the host process, resulting in complete takeover of the application, data leakage, and potential compromise of system integrity and availability.

Mitigation & patch

SandboxJS should be updated to version 0.8.29 or later. The patch is available in the vendor's repository (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3). Until the update is applied, untrusted input data should not be passed to the SandboxJS environment.

Who is affected

Nyariv SandboxJS library in all versions before 0.8.29

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Nyariv Sandboxjs

    APP
    Nyariv
    < 0.8.29
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-43898CRITICAL10.0PL ✓ten sam produkt

SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE

CVE-2026-34208CRITICAL10.0PL ✓ten sam produkt

SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora

CVE-2026-26954CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)

CVE-2026-25881CRITICAL9.0PL ✓ten sam produkt

SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE

CVE-2026-25586CRITICAL10.0PL ✓ten sam produkt

SandboxJS — ucieczka z sandbox przez shadowing hasOwnProperty