Vulnerability Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nyariv | Sandboxjs | < 0.8.29 |
Related Weaknesses (CWE)
References
- https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e4Patch
- https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4ExploitVendor Advisory
- https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4ExploitVendor Advisory
FAQ
What is CVE-2026-25520?
CVE-2026-25520 is a vulnerability with a CVSS score of 10.0 (CRITICAL). SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function co...
How severe is CVE-2026-25520?
CVE-2026-25520 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-25520?
Check the references section above for vendor advisories and patch information. Affected products include: Nyariv Sandboxjs.