Skip to main content

Terrarium CVE-2026-5752

| EUVDEUVD-2026-22676 CRITICAL
2026-04-14 cret@cert.org GHSA-cmpr-pw8g-6q6c
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Apr 21, 2026 - 15:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 17, 2026 - 15:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 22:35 vuln.today
CVSS changed
Apr 14, 2026 - 20:22 NVD
9.3 (CRITICAL)
EUVD ID Assigned
Apr 14, 2026 - 18:22 euvd
EUVD-2026-22676
Analysis Generated
Apr 14, 2026 - 18:22 vuln.today
CVE Published
Apr 14, 2026 - 18:17 nvd
CRITICAL 9.3

DescriptionCVE.org

Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.

AnalysisAI

Sandbox escape in Terrarium enables arbitrary code execution with root privileges on the host system through JavaScript prototype chain traversal. This local attack requires no authentication or user interaction and breaks out of the sandbox entirely (scope change from container to host). CERT/CC publicly disclosed the vulnerability (VU#414811). EPSS probability is very low at 0.02% (5th percentile), and CISA SSVC indicates no active exploitation detected. Despite the critical 9.3 CVSS score, real-world risk appears limited by local attack vector and absence of widespread targeting, though the total technical impact (root-level host compromise) makes this severe for any deployment running untrusted code in Terrarium sandboxes.

Technical ContextAI

Terrarium is a Python-JavaScript interop sandboxing library developed by Cohere AI for executing untrusted JavaScript code in isolated environments. The vulnerability exploits JavaScript prototype chain traversal mechanisms to escape the sandbox boundary. Prototype pollution and prototype chain manipulation are well-known JavaScript security challenges where attackers modify Object.prototype or traverse the prototype chain to access properties and methods outside intended scope. In this case, the traversal bypasses Terrarium's isolation layer, allowing the malicious script to interact directly with the host Python process. The CVSS scope change (S:C) indicates the vulnerable component (sandboxed JavaScript runtime) differs from the impacted component (host operating system), confirming a complete sandbox breakout. The root privilege escalation suggests either Terrarium runs with elevated permissions or the escape technique inherently gains host-level access through the Python interpreter's privilege context.

RemediationAI

No vendor-released patch identified at time of analysis based on available references. The GitHub repository link (cohere-ai/cohere-terrarium) should be monitored for security advisories and updated releases. Until a patch is available, organizations must implement immediate containment: (1) Run Terrarium processes under least-privilege service accounts (not root) using Linux capabilities or SELinux to limit blast radius of successful escapes - though this mitigates post-exploitation impact, it does not prevent the escape itself. (2) Deploy secondary sandboxing layers such as running Terrarium inside Docker containers with seccomp profiles, AppArmor, or gVisor to add defense-in-depth - note this adds operational complexity and potential performance overhead. (3) Implement strict input validation and allowlisting for any JavaScript executed through Terrarium, though sophisticated prototype chain attacks may bypass syntactic filters. (4) For highest-risk deployments (multi-tenant SaaS, untrusted code execution services), consider temporarily disabling Terrarium-dependent features or migrating to alternative sandboxing solutions like isolated-vm or vm2 (after verifying their own security posture) until vendor patch is released. Monitor CERT/CC VU#414811 and the Cohere AI GitHub repository for official remediation guidance.

Share

CVE-2026-5752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy