GHSA-9qm3-6qrr-c76m

Suggest an improvement
Source
https://github.com/advisories/GHSA-9qm3-6qrr-c76m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9qm3-6qrr-c76m/GHSA-9qm3-6qrr-c76m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9qm3-6qrr-c76m
Aliases
  • CVE-2025-34146
Published
2025-07-31T15:35:50Z
Modified
2025-07-31T19:42:17.060687Z
Severity
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
Details

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.

Database specific 
{
    "nvd_published_at": "2025-07-31T15:15:36Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed_at": "2025-07-31T19:28:27Z",
    "github_reviewed": true,
    "severity": "HIGH"
}
References

Affected packages

npm / @nyariv/sandboxjs

Package

Name
@nyariv/sandboxjs
View open source insights on deps.dev
Purl
pkg:npm/%40nyariv/sandboxjs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.24

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9qm3-6qrr-c76m/GHSA-9qm3-6qrr-c76m.json"