Is Sandboxjs affected by CVE-2026-25520?

SandboxJS versions before 0.8.29 contain a critical vulnerability (CVSS 10.0) that allows attackers to bypass sandbox protections and execute arbitrary code within applications using this library.

CVE-2026-25520

CRITICAL

2026-02-06 [email protected]

GHSA-58jh-xv4v-pcx4

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 14:33 vuln.today

Public exploit code

Patch Released

Feb 18, 2026 - 14:33 nvd

Patch available

CVE Published

Feb 06, 2026 - 20:16 nvd

CRITICAL 10.0

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.

Analysis

SandboxJS has a second CVSS 10.0 sandbox escape where function return values aren't properly sanitized, allowing code execution outside the sandbox.

Remediation

Within 24 hours: Inventory all systems and applications using SandboxJS and identify which versions are deployed; immediately disable SandboxJS functionality if operationally feasible pending patching. Within 7 days: Apply vendor patch to upgrade SandboxJS to version 0.8.29 or later across all affected systems; conduct full application testing post-patch to ensure functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +50

POC: +20

CVE-2026-25520 vulnerability details – vuln.today

Back

CVE-2026-25520

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-25520

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code