Plattform
nodejs
Komponente
@nyariv/sandboxjs
Behoben in
0.8.30
0.8.29
CVE-2026-25587 describes a critical prototype pollution vulnerability discovered in the @nyariv/sandboxjs JavaScript library. This flaw allows attackers to escape the intended sandbox environment by manipulating the Map.prototype.has method, potentially leading to arbitrary code execution. The vulnerability impacts versions of @nyariv/sandboxjs released before version 0.8.29, and a patch is available.
The core of this vulnerability lies in the library's handling of Map objects within its sandboxing mechanism. By exploiting prototype pollution, an attacker can overwrite properties on the Map.prototype, specifically has. This manipulation effectively bypasses the intended security boundaries of the sandbox, granting the attacker the ability to execute arbitrary code within the context of the sandboxed environment. The potential impact is severe, as it could lead to complete compromise of the application relying on @nyariv/sandboxjs for security isolation. This is similar in concept to other prototype pollution vulnerabilities, but the specific bug in let implementation makes it unique.
This vulnerability was publicly disclosed on 2026-02-05. A proof-of-concept (PoC) is available, indicating the feasibility of exploitation. While no active campaigns exploiting this specific CVE have been reported, the ease of exploitation and the potential impact make it a high-priority concern. The vulnerability is present in Node.js environments utilizing the @nyariv/sandboxjs library.
Applications utilizing @nyariv/sandboxjs to isolate untrusted code are at significant risk. This includes web applications, desktop applications, and any environment where JavaScript code is executed within a sandboxed environment. Projects relying on older versions of the library, particularly those with limited security monitoring, are especially vulnerable.
• nodejs / supply-chain:
npm list @nyariv/sandboxjs• nodejs / supply-chain:
npm audit @nyariv/sandboxjs• generic web: Inspect application code for usage of @nyariv/sandboxjs and any user-controlled data being used to modify Map objects.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25587 is to immediately upgrade to version 0.8.29 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the Map prototype within the sandboxed environment. This could involve using Object.freeze() or similar techniques to prevent modification of the prototype. Additionally, implement input validation to sanitize data before it is used to construct Map objects within the sandbox. After upgrading, confirm the fix by attempting to trigger the prototype pollution vulnerability and verifying that it is no longer exploitable.
Aktualisieren Sie die SandboxJS-Bibliothek auf Version 0.8.29 oder höher. Diese Version behebt die Sandbox-Escape-Schwachstelle, indem sie die Manipulation des Map-Prototyps verhindert. Um zu aktualisieren, verwenden Sie den entsprechenden Paketmanager (z. B. npm oder yarn) und installieren Sie die neueste Version.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25587 is a critical prototype pollution vulnerability in @nyariv/sandboxjs that allows attackers to escape the sandbox by manipulating Map.prototype.has, potentially leading to code execution.
You are affected if you are using @nyariv/sandboxjs versions prior to 0.8.29. Assess your project dependencies immediately.
Upgrade to version 0.8.29 or later of @nyariv/sandboxjs. If immediate upgrade is not possible, implement temporary workarounds like input validation.
While no active exploitation campaigns have been confirmed, the critical severity and availability of a PoC suggest a high probability of exploitation.
Refer to the @nyariv/sandboxjs project repository and related security advisories for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.