CVE-2026-25881
CRITICAL
GHSA-ww7g-4gwx-m7wj
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.
Analysis
SandboxJS prior to 0.8.31 has yet another sandbox escape via prototype pollution, the sixth distinct escape technique discovered.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and services using SandboxJS and determine current versions in production; assess whether untrusted or user-supplied code is executed in these sandboxes. Within 7 days: Apply vendor patch upgrading SandboxJS to version 0.8.31 or later across all affected systems; test in staging environment before production deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today