CVE-2026-25587 – CVE-2026-25587 is a critical sandbox escape vul... (How to Fix)

Q: What is the severity of CVE-2026-25587?

CVE-2026-25587 has a CVSS score of 10.0 (CRITICAL). CVE-2026-25587 is a critical sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can overwrite Map.prototype.has to break out of the JavaScript sandbox and execute arbitrary code. This affects any application using vulnerable SandboxJS versions for JavaScript isolation.

📋 TL;DR

CVE-2026-25587 is a critical sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can overwrite Map.prototype.has to break out of the JavaScript sandbox and execute arbitrary code. This affects any application using vulnerable SandboxJS versions for JavaScript isolation.

💻 Affected Systems

Products:

SandboxJS

Versions: All versions before 0.8.29

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using SandboxJS for JavaScript sandboxing is vulnerable by default.

📦 What is this software?

Sandboxjs by Nyariv

View all CVEs affecting Sandboxjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system where SandboxJS runs, allowing remote code execution, data theft, and lateral movement.

🟠

Likely Case

Arbitrary code execution within the application context, potentially leading to data exposure and privilege escalation.

🟢

If Mitigated

Limited impact if sandboxed code has minimal privileges and runs in isolated environments.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory includes technical details that make exploitation straightforward for attackers with JavaScript knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.29

Vendor Advisory: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp

Restart Required: Yes

Instructions:

1. Update SandboxJS to version 0.8.29 or later. 2. Update package.json to specify 'sandboxjs': '>=0.8.29'. 3. Run npm update or yarn upgrade. 4. Restart your application.

🔧 Temporary Workarounds

Remove Map from SAFE_PROTOTYPES

all

Manually modify SandboxJS source to remove Map from SAFE_PROTOTYPES array

Edit the SandboxJS source file and remove 'Map' from SAFE_PROTOTYPES array

🧯 If You Can't Patch

Isolate SandboxJS instances in containers with minimal privileges
Implement strict input validation and monitoring for sandbox escape attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for SandboxJS version below 0.8.29

Check Version:

npm list sandboxjs | grep sandboxjs

Verify Fix Applied:

Verify SandboxJS version is 0.8.29 or higher and test sandbox functionality

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Sandbox escape attempts in application logs

Network Indicators:

Unexpected outbound connections from sandboxed processes

SIEM Query:

source="application_logs" AND ("sandbox escape" OR "Map.prototype" OR "CVE-2026-25587")

📊 Metadata

CVE ID: CVE-2026-25587

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.06% exploit probability (19.4th percentile)

Published: February 6, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 Patch
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp Exploit,Vendor Advisory
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25587, you might also want to check these: