10
CVE-2026-25881
- EPSS 0.55%
- Veröffentlicht 09.02.2026 21:12:58
- Zuletzt bearbeitet 18.02.2026 18:07:12
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Login@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.55% | 0.417 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
| security-advisories@github.com | 9 | 2.2 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj
https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53