JavaScript Sandboxing Vulnerability in SandboxJS Library by Nyariv
CVE-2026-25142

10CRITICAL

Key Information:

Vendor

Nyariv

Status
Sandboxjs
Vendor
CVE Published:
2 February 2026

What is CVE-2026-25142?

The SandboxJS library, prior to version 0.8.27, has a vulnerability that allows an attacker to exploit the lookupGetter method. This flaw permits access to the object's prototype, enabling potential bypass of sandbox restrictions and ultimately leading to remote code execution within vulnerable applications. Users are advised to upgrade to version 0.8.27 or higher to mitigate these security risks.

Affected Version(s)

SandboxJS < 0.8.27

References

https://github.com/nyariv/SandboxJS/security/advisories/G...
x_refsource_CONFIRM
https://github.com/nyariv/SandboxJS/commit/75c8009db32e68...
x_refsource_MISC
https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.