CVE-2026-25587
Published: 06 February 2026
Summary
CVE-2026-25587 is a critical-severity Code Injection (CWE-94) vulnerability in Nyariv Sandboxjs. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-25587 by requiring timely flaw remediation through upgrading SandboxJS to version 0.8.29 or later.
Enforces software-based separation and policy for untrusted JavaScript execution, addressing the sandbox isolation failure exploited via Map.prototype pollution.
Prevents unauthorized information transfer and control flow hijacking through shared system resources like the Map.prototype targeted in this sandbox escape.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in JS library allows remote untrusted JS to achieve arbitrary host code execution (CWE-94), directly enabling T1190 (public-facing app RCE), T1059.007 (JavaScript interpreter abuse), and T1203 (client-side exploitation for execution).
NVD Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.
Deeper analysisAI
CVE-2026-25587 is a sandbox escape vulnerability in SandboxJS, an open-source JavaScript sandboxing library. In versions prior to 0.8.29, the Map object is included in SAFE_PROTOTYPES, allowing attackers to access Map.prototype. By overwriting the Map.prototype.has method, malicious code executed within the sandbox can escape its isolation boundaries. The vulnerability is rated with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code).
Remote attackers require no privileges or user interaction to exploit this vulnerability over a network with low complexity. Exploitation occurs when untrusted JavaScript code is executed inside a SandboxJS instance, enabling the attacker to bypass sandbox restrictions. Successful exploitation grants high-impact confidentiality, integrity, and availability compromises with a changed scope, potentially allowing arbitrary code execution on the host environment.
The vulnerability was fixed in SandboxJS version 0.8.29, as detailed in the project's GitHub security advisory (GHSA-66h4-qj4x-38xp) and the corresponding commit (67cb186c41c78c51464f70405504e8ef0a6e43c3). Security practitioners should upgrade to version 0.8.29 or later to mitigate the issue.
Details
- CWE(s)