Login Sign Up

CVE-2026-25641

10.0 CRITICAL

📋 TL;DR

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can bypass JavaScript sandbox restrictions by passing malicious objects that coerce to different string values during validation versus property access. This affects any application using vulnerable SandboxJS versions for JavaScript isolation.

💻 Affected Systems

Products:
  • SandboxJS
Versions: All versions prior to 0.8.29
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using SandboxJS for JavaScript sandboxing is vulnerable regardless of configuration.

📦 What is this software?

Sandboxjs by Nyariv

View all CVEs affecting Sandboxjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete sandbox escape allowing arbitrary code execution with the privileges of the hosting application, potentially leading to full system compromise.

🟠

Likely Case

Sandbox escape enabling execution of unauthorized JavaScript code within the application context, potentially accessing sensitive data or performing unauthorized actions.

🟢

If Mitigated

Limited impact if sandboxed code runs with minimal privileges and in isolated environments, though sandbox integrity would still be compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of JavaScript object coercion and sandbox implementation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.29

Vendor Advisory: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342

Restart Required: Yes

Instructions:

1. Update SandboxJS dependency to version 0.8.29 or later. 2. Restart any applications using SandboxJS. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable SandboxJS Usage

all

Temporarily disable or remove SandboxJS functionality until patching is possible.

🧯 If You Can't Patch

  • Isolate applications using SandboxJS in network segments with restricted access.
  • Implement additional input validation and monitoring for suspicious JavaScript execution patterns.

🔍 How to Verify

Check if Vulnerable:

Check package.json or dependency files for SandboxJS version below 0.8.29.

Check Version:

npm list sandboxjs

Verify Fix Applied:

Confirm SandboxJS version is 0.8.29 or higher in package.json and verify application functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript execution patterns
  • Sandbox-related error messages
  • Unexpected process spawns from JavaScript contexts

Network Indicators:

  • Outbound connections from JavaScript sandbox processes to unexpected destinations

SIEM Query:

process.name:node AND cmdline:*sandbox* AND (event.action:process_start OR event.action:network_connection)

📊 Metadata

CVE ID: CVE-2026-25641
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-367
EPSS Score: 0.05% exploit probability (14.7th percentile)
Published: February 6, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25641, you might also want to check these:

CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)
CVE-2026-25052 9.9

This vulnerability in n8n workflow automation platform allows authenticated users with workflow crea...

Same vulnerability type (CWE-367)