CRITICAL🇵🇱 Wersja polska

CVE-2026-25641

CVSS 10.0v3.1pub. 2026-02-06upd. 2026-02-18

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29.

🤖 AI Analysis
How it works

The vulnerability results from a discrepancy (time-of-check to time-of-use, CWE-367) between the key used during validation and the key actually used when accessing an object property. Although the key is marked as string type, its value is never actually enforced as such. An attacker can pass a malicious object that returns one value when hasOwnProperty(key) is called during the sanitization phase, but returns a different value during actual property access — allowing the security control mechanism to be bypassed. As a result, it is possible to access properties that have not passed verification.

Impact

An attacker can escape the isolated sandbox environment and gain access to host resources, which may lead to complete compromise of system confidentiality, integrity, and availability.

Mitigation & patch

The SandboxJS library should be updated to version 0.8.29 or later, in which the vulnerability has been removed. The patch is available in the vendor's repository (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3).

Who is affected

Nyariv SandboxJS in all versions before 0.8.29

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Nyariv Sandboxjs

    APP
    Nyariv
    < 0.8.29
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-43898CRITICAL10.0PL ✓ten sam produkt

SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE

CVE-2026-34208CRITICAL10.0PL ✓ten sam produkt

SandboxJS: obejście ochrony sandbox przez ścieżkę konstruktora

CVE-2026-26954CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)

CVE-2026-25881CRITICAL9.0PL ✓ten sam produkt

SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE

CVE-2026-25520CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą