CVE-2026-25520

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3	Patch
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4	Exploit Vendor Advisory
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-06 20:16

Updated : 2026-02-18 14:33

NVD link : CVE-2026-25520

Mitre link : CVE-2026-25520

CVE.ORG link : CVE-2026-25520

JSON object : View

Products Affected

nyariv

sandboxjs

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2026-25520", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2026-02-06T20:16:10.440", "references": [{"url": "https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29."}, {"lang": "es", "value": "SandboxJS es una librer\u00eda de sandboxing de JavaScript. Antes de 0.8.29, los valores de retorno de las funciones no est\u00e1n encapsulados. Object.values/Object.entries pueden usarse para obtener un Array que contiene el constructor Function del host; al usar Array.prototype.at se puede obtener el constructor Function del host, el cual puede usarse para ejecutar c\u00f3digo arbitrario fuera del sandbox. Esta vulnerabilidad est\u00e1 corregida en 0.8.29."}], "lastModified": "2026-02-18T14:33:15.567", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5822AD4C-2C8E-4196-9149-A626F0572E05", "versionEndExcluding": "0.8.29"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}