Critical SandboxJS Sandbox-Escape Vulnerabilities Enabling Host Code Execution
Multiple critical vulnerabilities in SandboxJS—a JavaScript sandboxing library used to run untrusted code—were disclosed as enabling sandbox escape and arbitrary code execution on the host, with several issues scored CVSS 10.0. Reported flaws include CVE-2026-25520, CVE-2026-25586, CVE-2026-25587, and CVE-2026-25641, described as providing multiple paths to break out of SandboxJS’s isolation guarantees and take over the underlying runtime environment.
Technical details published for CVE-2026-25520 indicate that, prior to SandboxJS 0.8.29, function return values are not wrapped, allowing attackers to use Object.values()/Object.entries() to obtain an array containing the host’s Function constructor (e.g., via Array.prototype.at), which can then be used to execute code outside the sandbox; the issue is fixed in 0.8.29 (with a referenced upstream commit and GitHub Security Advisory). Additional reported escape vectors include manipulation of supposedly safe prototypes (e.g., overwriting Map.prototype.has via a bug in the library’s let implementation) and a host prototype pollution condition tied to unsafe property-checking logic, collectively undermining the library’s core containment model.
Timeline
Feb 11, 2026
CVE-2026-25881 disclosed and fixed in SandboxJS 0.8.31
A separate critical SandboxJS vulnerability, CVE-2026-25881, was disclosed affecting versions prior to 0.8.31. The flaw allowed protected global prototype references to lose their protection marker when placed in arrays, enabling host-side prototype pollution and possible remote code execution; maintainers fixed it in version 0.8.31.
Feb 6, 2026
CVE-2026-25520 publicly disclosed as SandboxJS sandbox escape
A public advisory disclosed CVE-2026-25520, a critical SandboxJS flaw caused by unwrapped function return values that let attackers recover the host Function constructor and execute code outside the sandbox. The issue was mapped to SandboxJS versions before 0.8.29 and assigned a high-severity CVSS vector.
Feb 6, 2026
SandboxJS fixes four critical sandbox escape flaws in version 0.8.29
SandboxJS released version 0.8.29 to fix four critical vulnerabilities affecting versions 0.8.28 and earlier, including CVE-2026-25520, CVE-2026-25586, CVE-2026-25587, and CVE-2026-25641. The flaws allowed sandbox escape and arbitrary code execution on the host system.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
SandboxJS Sandbox Escape via Host Prototype Pollution (CVE-2026-25881)
**CVE-2026-25881** is a critical sandbox-escape flaw in *SandboxJS* (`@nyariv/sandboxjs`) that allows sandboxed JavaScript to **mutate host built-in prototypes** (e.g., `Map.prototype`, `Set.prototype`) and cause persistent **host-side prototype pollution**. The issue stems from SandboxJS’s `isGlobal` protection mechanism: when a global prototype reference is placed into an **array literal** and then retrieved, the `isGlobal` “taint” is stripped, enabling direct prototype mutation from within the sandbox. The vulnerability affects versions **prior to 0.8.31** and is fixed in **0.8.31**; CVSS v3.1 is reported as `AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H` and the weakness is mapped to **CWE-1321**. Public reporting indicates a working **proof-of-concept (PoC)** is available demonstrating multiple exploitation scenarios, including adding attacker-controlled properties to host prototypes and overwriting built-in functions. While the sandbox escape itself is the core impact, **remote code execution is application-dependent**: if the host application later uses polluted properties in sensitive sinks (example gadget: `execSync(obj.cmd)`), an attacker can potentially execute system commands (e.g., `id`). Organizations using SandboxJS to run untrusted code should prioritize upgrading to **0.8.31** and review host code paths for dangerous use of object properties that could be influenced via prototype pollution.
1 months ago
JavaScript Library Flaws Enable Sandbox Escape and Code Execution
Two high-severity flaws were disclosed in widely used JavaScript libraries, exposing applications to sandbox bypass and arbitrary code execution. **CVE-2026-34208** affects SandboxJS before `0.8.36` and allows attacker-supplied code to evade protections on direct assignment to global objects by abusing an exposed constructor path. The bypass uses `this.constructor.call(target, attackerObject)` to reach the internal `SandboxGlobal` function while `Function.prototype.call` remains permitted, enabling arbitrary properties to be written into host global objects and persist across sandbox instances in the same process. A separate issue, **CVE-2026-41242**, impacts `protobufjs` before `8.0.1` and `7.5.5`, where attackers can inject arbitrary code into Protocol Buffers definition `type` fields and trigger execution during object decoding with a malicious schema. The flaw is tracked as **CWE-94** and carries a CVSS v4 rating reflecting network-reachable exploitation with high impact to confidentiality, integrity, availability, and downstream systems. Maintainers released fixes in SandboxJS `0.8.36` and protobufjs `8.0.1` and `7.5.5`.
2 weeks ago
SandboxJS Sandbox Escape via Unprotected AsyncFunction Constructor (CVE-2026-23830)
**CVE-2026-23830** is a maximum-severity (**CVSS 10.0**) sandbox-escape vulnerability in *SandboxJS*, a library intended to safely execute untrusted JavaScript. The issue allows attackers to break out of the sandbox and achieve **arbitrary code execution on the host** by leveraging gaps in SandboxJS’s “safe replacement” model for dangerous constructors. The flaw stems from SandboxJS mapping the global `Function` constructor to a sandboxed equivalent, but (in affected versions) failing to similarly isolate the “Async” and generator constructor families: `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. Although these constructors are not directly exposed as globals, they can be obtained via an instance’s `.constructor` (e.g., `(async () => {}).constructor`); because the executor returns the **native host** `AsyncFunction` when it is not present in the safe-replacement map, an attacker can create new functions that execute in the global scope and bypass sandbox restrictions. *SandboxJS* **0.8.26** is reported as the patched version.
1 months ago