CVE-2026-25520 – SandboxJS versions before 0.8.29 have a critica... (How to Fix)

📋 TL;DR

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers to obtain the host's Function constructor and execute arbitrary code outside the sandbox. This affects any application using vulnerable SandboxJS versions for JavaScript sandboxing. Attackers can potentially execute arbitrary code with the privileges of the hosting application.

💻 Affected Systems

Products:

SandboxJS

Versions: All versions prior to 0.8.29

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using SandboxJS for JavaScript sandboxing is vulnerable regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the hosting application with arbitrary code execution, potentially leading to data theft, system takeover, or lateral movement within the network.

🟠

Likely Case

Remote code execution on systems running vulnerable SandboxJS, allowing attackers to execute arbitrary commands with application privileges.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though sandbox escape still represents a significant security failure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept available in the advisory. Exploitation requires only the ability to execute JavaScript within the sandbox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.29

Vendor Advisory: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4

Restart Required: Yes

Instructions:

1. Update SandboxJS to version 0.8.29 or later using npm update sandboxjs
2. Restart any applications using SandboxJS
3. Verify the update was successful by checking the package version

🔧 Temporary Workarounds

Disable SandboxJS Usage

all

Temporarily disable or remove SandboxJS functionality until patching is possible

npm uninstall sandboxjs

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data passed to SandboxJS
Isolate applications using SandboxJS in network segments with limited access

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list sandboxjs' to see if version is below 0.8.29

Check Version:

npm list sandboxjs | grep sandboxjs

Verify Fix Applied:

Verify SandboxJS version is 0.8.29 or higher using 'npm list sandboxjs'

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Sandbox escape attempts in application logs
Unexpected process spawns from Node.js applications

Network Indicators:

Outbound connections from Node.js processes to unexpected destinations
Command and control traffic from application servers

SIEM Query:

process.name:node.exe AND (process.cmd_line:*sandbox* OR process.cmd_line:*SandboxJS*)

📊 Metadata

CVE ID: CVE-2026-25520

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-74

Published: February 6, 2026

Last Updated: February 6, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25520, you might also want to check these: