CVE-2025-34146
published 2025-07-31CVE-2025-34146: A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via…
PriorityP432high7CVSS 4.0
AVLACLATNPRNUINVCNVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.19%
9.4th percentile
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nyariv | sandboxjs | <= 0.8.23 | — |
| nyariv | sandboxjs | >= 0 < 0.8.24 | 0.8.24 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
osv·2025-07-31
CVE-2025-34146 [HIGH] @nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.
GHSA
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
ghsa·2025-07-31
CVE-2025-34146 [HIGH] CWE-1321 @nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-31
Published