Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.
AnalysisAI
Sandbox escape in Terrarium enables arbitrary code execution with root privileges on the host system through JavaScript prototype chain traversal. This local attack requires no authentication or user interaction and breaks out of the sandbox entirely (scope change from container to host). CERT/CC publicly disclosed the vulnerability (VU#414811). EPSS probability is very low at 0.02% (5th percentile), and CISA SSVC indicates no active exploitation detected. Despite the critical 9.3 CVSS score, real-world risk appears limited by local attack vector and absence of widespread targeting, though the total technical impact (root-level host compromise) makes this severe for any deployment running untrusted code in Terrarium sandboxes.
Technical ContextAI
Terrarium is a Python-JavaScript interop sandboxing library developed by Cohere AI for executing untrusted JavaScript code in isolated environments. The vulnerability exploits JavaScript prototype chain traversal mechanisms to escape the sandbox boundary. Prototype pollution and prototype chain manipulation are well-known JavaScript security challenges where attackers modify Object.prototype or traverse the prototype chain to access properties and methods outside intended scope. In this case, the traversal bypasses Terrarium's isolation layer, allowing the malicious script to interact directly with the host Python process. The CVSS scope change (S:C) indicates the vulnerable component (sandboxed JavaScript runtime) differs from the impacted component (host operating system), confirming a complete sandbox breakout. The root privilege escalation suggests either Terrarium runs with elevated permissions or the escape technique inherently gains host-level access through the Python interpreter's privilege context.
RemediationAI
No vendor-released patch identified at time of analysis based on available references. The GitHub repository link (cohere-ai/cohere-terrarium) should be monitored for security advisories and updated releases. Until a patch is available, organizations must implement immediate containment: (1) Run Terrarium processes under least-privilege service accounts (not root) using Linux capabilities or SELinux to limit blast radius of successful escapes - though this mitigates post-exploitation impact, it does not prevent the escape itself. (2) Deploy secondary sandboxing layers such as running Terrarium inside Docker containers with seccomp profiles, AppArmor, or gVisor to add defense-in-depth - note this adds operational complexity and potential performance overhead. (3) Implement strict input validation and allowlisting for any JavaScript executed through Terrarium, though sophisticated prototype chain attacks may bypass syntactic filters. (4) For highest-risk deployments (multi-tenant SaaS, untrusted code execution services), consider temporarily disabling Terrarium-dependent features or migrating to alternative sandboxing solutions like isolated-vm or vm2 (after verifying their own security posture) until vendor patch is released. Monitor CERT/CC VU#414811 and the Cohere AI GitHub repository for official remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22676
GHSA-cmpr-pw8g-6q6c