CVE-2026-25142
Published: 02 February 2026
Summary
CVE-2026-25142 is a critical-severity Code Injection (CWE-94) vulnerability in Nyariv Sandboxjs. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the SandboxJS flaw by applying the patch in version 0.8.27 that restricts __lookupGetter__ to prevent sandbox escape.
Mandates software-enforced separation policies that address prototype access restrictions in JavaScript sandboxes like SandboxJS to block unauthorized escapes.
Ensures the SandboxJS reference monitor properly mediates access to prototypes via __lookupGetter__, preventing attackers from bypassing sandbox boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing JavaScript sandboxing library (AV:N/AC:L/PR:N), directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
Deeper analysisAI
CVE-2026-25142 affects SandboxJS, a JavaScript sandboxing library, in versions prior to 0.8.27. The vulnerability stems from improper restrictions on the __lookupGetter__ function, which allows attackers to access prototypes and escape the sandbox, potentially leading to remote code execution. This issue is classified under CWE-94 (Improper Control of Generation of Code) and CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), with a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact across confidentiality, integrity, and availability.
Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction by leveraging the unrestricted __lookupGetter__ to retrieve prototypes and bypass sandbox boundaries. Successful exploitation enables full sandbox escape, granting attackers the ability to execute arbitrary code in the context of the hosting application, potentially compromising the entire system.
The GitHub security advisory (GHSA-9p4w-fq8m-2hp7) and associated commit (75c8009db32e6829b0ad92ca13bf458178442bd3) detail the fix implemented in version 0.8.27, which properly restricts prototype access in the executor module (src/executor.ts lines 368-398). Security practitioners should update to SandboxJS 0.8.27 or later to mitigate this issue.
Details
- CWE(s)