Prototype Pollution Vulnerability in @nyariv/sandboxjs
CVE-2025-34146
Key Information:
Badges
What is CVE-2025-34146?
A prototype pollution vulnerability in @nyariv/sandboxjs enables attackers to inject arbitrary properties into Object.prototype through specially crafted JavaScript code. This flaw can lead to a denial-of-service (DoS) situation or, in specific circumstances, allow the escape from the sandboxed environment that is designed to restrict code execution. The root cause of this issue lies in inadequate prototype access validation within the sandbox’s executor logic, especially when processing JavaScript function objects.
Affected Version(s)
sandboxjs * <= 0.8.23
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved