CVE-2026-25520
Published: 06 February 2026
Summary
CVE-2026-25520 is a critical-severity Injection (CWE-74) vulnerability in Nyariv Sandboxjs. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the SandboxJS library to version 0.8.29 or later, directly fixing the failure to wrap function return values that enables sandbox escape.
Mandates software-enforced separation policies to prevent sandboxed JavaScript from accessing host objects like the Function constructor via unwrapped returns.
Prevents unauthorized transfer of host objects, such as the Function constructor, through shared resources like unwrapped function return values in the sandbox.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in JS library allows remote unauthenticated attackers to supply malicious code that directly executes arbitrary host code, mapping to public-facing app exploitation and JavaScript interpreter abuse.
NVD Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which…
more
can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
Deeper analysisAI
CVE-2026-25520 is a critical vulnerability in SandboxJS, a JavaScript sandboxing library, affecting versions prior to 0.8.29. The issue arises because return values of functions are not properly wrapped, enabling the use of Object.values or Object.entries to obtain an array containing the host's Function constructor. Attackers can then leverage Array.prototype.at to access this constructor and execute arbitrary code outside the sandbox. The vulnerability is rated with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-74.
Any remote attacker can exploit this vulnerability without privileges or user interaction, as long as they can supply malicious JavaScript code to the sandboxed environment. Successful exploitation allows full sandbox escape, granting the attacker the ability to execute arbitrary code on the host system with the privileges of the process running SandboxJS, potentially leading to complete compromise of the affected application or server.
The vulnerability was addressed in SandboxJS version 0.8.29. Security advisories recommend updating to this patched version immediately. Details on the fix are provided in the GitHub security advisory at https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 and the fixing commit at https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3.
Details
- CWE(s)