{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25142", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.820Z", "datePublished": "2026-02-02T22:51:40.651Z", "dateUpdated": "2026-02-04T16:53:07.833Z"}, "containers": {"cna": {"title": "SandboxJS Prototype Pollution -> Sandbox Escape -> RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7"}, {"name": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3", "tags": ["x_refsource_MISC"], "url": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3"}, {"name": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398", "tags": ["x_refsource_MISC"], "url": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398"}], "affected": [{"vendor": "nyariv", "product": "SandboxJS", "versions": [{"version": "< 0.8.27", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T22:52:11.849Z"}, "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27."}], "source": {"advisory": "GHSA-9p4w-fq8m-2hp7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:55:41.355946Z", "id": "CVE-2026-25142", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:53:07.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T15:55:41.355946Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:55:47.805Z"}}], "cna": {"title": "SandboxJS Prototype Pollution -> Sandbox Escape -> RCE", "source": {"advisory": "GHSA-9p4w-fq8m-2hp7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nyariv", "product": "SandboxJS", "versions": [{"status": "affected", "version": "< 0.8.27"}]}], "references": [{"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7", "name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3", "name": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398", "name": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T22:52:11.849Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25142", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:53:07.833Z", "dateReserved": "2026-01-29T15:39:11.820Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T22:51:40.651Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0B7FD7B0-0F36-4201-9F29-513F12B3DC25", "versionEndExcluding": "0.8.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27."}, {"lang": "es", "value": "SandboxJS es una biblioteca de sandboxing de JavaScript. Antes de la versi\u00f3n 0.8.27, SandboxJS no restringe adecuadamente __lookupGetter__, que puede usarse para obtener prototipos, lo que puede usarse para escapar del sandbox / ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.8.27."}], "id": "CVE-2026-25142", "lastModified": "2026-02-18T14:34:30.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:09.440", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:16:01.567975+00:00", "value": {"mitigation_remediation": ["Upgrade SandboxJS to version 0.8.27 or newer, where the prototype handling bug has been fixed.", "If an immediate upgrade is not feasible, revert the source code to the patched state by applying the commit revision 75c8009db32e6829b0ad92ca13bf458178442bd3 to the local repository.", "Validate that the sandboxed environment is properly configured and restrict direct access to the library from untrusted code paths; consider implementing additional input validation and monitoring for unexpected code execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is nyariv's SandboxJS. All releases older than 0.8.27 are vulnerable. Users of earlier versions that import the library into Node.js applications are susceptible unless the library is patched or updated.", "description_and_impact": "SandboxJS is a JavaScript sandboxing library that, before version 0.8.27, fails to restrict the use of the __lookupGetter__ property. This flaw allows a malicious user to manipulate object prototypes, leading to a prototype\u2011pollution attack that can bypass the sandbox environment and execute arbitrary JavaScript code. The vulnerability is identified as prototype pollution (CWE\u20111321) and code injection (CWE\u201194), culminating in remote code execution.", "risk_and_exploitability": "The CVSS score is 10, indicating a critical threat. EPSS is below 1\u202f% suggesting a low probability of widespread exploitation, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector likely involves supplying crafted JavaScript code that utilizes the __lookupGetter__ feature to mutate prototypes, thereby escaping the sandbox boundaries and running arbitrary code on the host environment."}}}}, "created": "2026-02-04T12:17:44.213622+00:00", "updated": "2026-04-18T14:30:02.931225+00:00", "vendors": ["nyariv", "nyariv$PRODUCT$sandboxjs"]}