What is the CVSS score of CVE-2026-25641?

CVE-2026-25641 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Sandboxjs are affected by CVE-2026-25641?

A critical sandbox escape vulnerability in SandboxJS (CVE-2026-25641) allows attackers to bypass security controls and execute arbitrary code within applications using this library.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25641?

Yes, a public proof-of-concept exploit is available for CVE-2026-25641. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25641?

Within 24 hours: Inventory all systems and applications using SandboxJS and identify current versions; establish incident response readiness. Within 7 days: Deploy patch to version 0.8.29 or later across all affected systems; prioritize production environments first. Within 30 days: Complete patching of all remaining systems and validate remediation through testing; conduct code review for any SandboxJS-dependent functionality.

Sandboxjs CVE-2026-25641

CRITICAL

Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

2026-02-06 security-advisories@github.com

GHSA-7x3h-rm86-3342

Information Disclosure Sandboxjs

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 14:01 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 14:01 nvd

Patch available

CVE Published

Feb 06, 2026 - 20:16 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29.

AnalysisAI

SandboxJS has a fifth CVSS 10.0 escape via a TOCTOU race condition in sandbox validation, allowing code to slip through during the check-execute gap.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious object with coercive toString()

Delivery

Pass object as property key to SandboxJS

Exploit

Key coerces differently during validation vs access

Execution

Bypass sandbox restrictions

Impact

Execute arbitrary code

Access

Craft malicious object with coercive toString()

Delivery

Pass object as property key to SandboxJS

Exploit

Key coerces differently during validation vs access

Execution

Bypass sandbox restrictions

Impact

Execute arbitrary code

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against SandboxJS versions prior to 0.8.29 with default configuration accepting user-supplied objects as property keys. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 10.0 with PoC and patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker exploits the timing window between sandbox validation and code execution to modify the code that runs, bypassing all restrictions.
Remediation	Update to 0.8.29+ immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems and applications using SandboxJS and identify current versions; establish incident response readiness. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25641 vulnerability details – vuln.today

Back

Sandboxjs CVE-2026-25641

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code