CVE-2026-25142
- Source
- https://cve.org/CVERecord?id=CVE-2026-25142
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25142.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25142
- Aliases
- Published
- 2026-02-02T22:51:40.651Z
- Modified
- 2026-02-20T01:35:55.842667Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- SandboxJS Prototype Pollution -> Sandbox Escape -> RCE
- Details
-
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict lookupGetter which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25142.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-94" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25142.json
- https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398
- https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3
- https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7
- https://nvd.nist.gov/vuln/detail/CVE-2026-25142
Affected packages
Git / github.com/nyariv/sandboxjs
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nyariv/sandboxjs
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed