CRITICAL🇵🇱 Wersja polska

CVE-2026-25586

CVSS 10.0v3.1pub. 2026-02-06upd. 2026-02-18

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29.

🤖 AI Analysis
How it works

The SandboxJS library's protection mechanism is based on a whitelist of prototype properties, whose enforcement occurs in the property access path using the hasOwnProperty method. An attacker can declare their own property named hasOwnProperty directly on the sandbox object, causing the original whitelist check to be bypassed. Once this protection is disabled, direct access to normally blocked properties such as __proto__ becomes possible, enabling a prototype pollution attack on the host's Object.prototype. The effects of such prototype poisoning are persistent and can affect all other objects running in the same process, including other sandbox instances.

Impact

An attacker can perform a prototype pollution attack on the host's global Object.prototype, leading to persistent, cross-cutting impact on all sandboxes and objects in the process, potentially enabling remote code execution (RCE) or application takeover.

Mitigation & patch

SandboxJS should be updated to version 0.8.29 or later, in which the vulnerability has been fixed. The patch is available in the vendor's GitHub repository (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3).

Who is affected

Nyariv SandboxJS in versions before 0.8.29

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Nyariv Sandboxjs

    APP
    Nyariv
    < 0.8.29
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-43898CRITICAL10.0PL ✓ten sam produkt

SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE

CVE-2026-34208CRITICAL10.0PL ✓ten sam produkt

SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora

CVE-2026-26954CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)

CVE-2026-25881CRITICAL9.0PL ✓ten sam produkt

SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE

CVE-2026-25520CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą