Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
Published: 2026-02-02
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SandboxJS is a JavaScript sandboxing library that, before version 0.8.27, fails to restrict the use of the __lookupGetter__ property. This flaw allows a malicious user to manipulate object prototypes, leading to a prototype‑pollution attack that can bypass the sandbox environment and execute arbitrary JavaScript code. The vulnerability is identified as prototype pollution (CWE‑1321) and code injection (CWE‑94), culminating in remote code execution.

Affected Systems

The affected product is nyariv's SandboxJS. All releases older than 0.8.27 are vulnerable. Users of earlier versions that import the library into Node.js applications are susceptible unless the library is patched or updated.

Risk and Exploitability

The CVSS score is 10, indicating a critical threat. EPSS is below 1 % suggesting a low probability of widespread exploitation, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector likely involves supplying crafted JavaScript code that utilizes the __lookupGetter__ feature to mutate prototypes, thereby escaping the sandbox boundaries and running arbitrary code on the host environment.

Generated by OpenCVE AI on April 18, 2026 at 14:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SandboxJS to version 0.8.27 or newer, where the prototype handling bug has been fixed.
  • If an immediate upgrade is not feasible, revert the source code to the patched state by applying the commit revision 75c8009db32e6829b0ad92ca13bf458178442bd3 to the local repository.
  • Validate that the sandboxed environment is properly configured and restrict direct access to the library from untrusted code paths; consider implementing additional input validation and monitoring for unexpected code execution.

Generated by OpenCVE AI on April 18, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9p4w-fq8m-2hp7 SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
History

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1321
CPEs cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Nyariv
Nyariv sandboxjs
Vendors & Products Nyariv
Nyariv sandboxjs

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
Title SandboxJS Prototype Pollution -> Sandbox Escape -> RCE
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nyariv Sandboxjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:53:07.833Z

Reserved: 2026-01-29T15:39:11.820Z

Link: CVE-2026-25142

cve-icon Vulnrichment

Updated: 2026-02-04T15:55:47.805Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:09.440

Modified: 2026-02-18T14:34:30.523

Link: CVE-2026-25142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses