Plattform
nodejs
Komponente
@nyariv/sandboxjs
Behoben in
0.8.28
0.8.27
CVE-2026-25142 describes a Remote Code Execution (RCE) vulnerability within the @nyariv/sandboxjs JavaScript library for Node.js. This flaw arises from inadequate restrictions on the lookupGetter function, enabling attackers to potentially escape the sandbox and execute arbitrary code. Affected versions include those prior to 0.8.27; upgrading to this version resolves the issue.
The vulnerability allows an attacker to bypass the intended sandboxing mechanism of @nyariv/sandboxjs. By exploiting the improper handling of lookupGetter, an attacker can gain access to prototypes and ultimately execute arbitrary code within the Node.js process hosting the application. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The potential impact is significant, particularly in applications relying on SandboxJS to isolate untrusted JavaScript code, such as browser-based sandboxes or code execution environments.
This vulnerability was publicly disclosed on 2026-02-02. A proof-of-concept (PoC) demonstrating the exploit is available in the CVE description. The CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. While no active campaigns have been publicly reported as of this writing, the availability of a PoC increases the risk of exploitation. It is recommended to prioritize patching this vulnerability.
Applications utilizing @nyariv/sandboxjs for sandboxing or isolating untrusted code are at significant risk. This includes web applications, desktop applications, and any environment where user-provided code is executed within a controlled environment. Developers relying on SandboxJS for security should prioritize upgrading to the patched version.
• nodejs / supply-chain:
npm list @nyariv/sandboxjs• nodejs / supply-chain:
npm audit @nyariv/sandboxjs• nodejs / supply-chain:
grep -r "__lookupGetter__" node_modules/@nyariv/sandboxjs/disclosure
poc
patch
Exploit-Status
EPSS
0.21% (43% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade to version 0.8.27 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation and sanitization of any data passed to the sandboxed JavaScript environment. While not a complete solution, this can reduce the attack surface. Monitor Node.js process activity for unusual behavior or unexpected code execution. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with a crafted payload and verifying that the sandbox remains intact.
Aktualisieren Sie die SandboxJS-Bibliothek auf Version 0.8.27 oder höher. Diese Version behebt die Prototype-Pollution-Schwachstelle, die die Remote Code Execution ermöglicht. Um zu aktualisieren, verwenden Sie den Paketmanager npm: `npm install sandboxjs@latest`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25142 is a critical Remote Code Execution vulnerability in the @nyariv/sandboxjs library, allowing attackers to escape the sandbox and execute arbitrary code.
You are affected if your application uses @nyariv/sandboxjs versions prior to 0.8.27. Check your project dependencies immediately.
Upgrade to version 0.8.27 or later of @nyariv/sandboxjs. If immediate upgrade is not possible, implement runtime checks to restrict prototype access.
While no active campaigns have been confirmed, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the @nyariv/sandboxjs GitHub repository for updates and advisories related to CVE-2026-25142.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.