Plattform
nodejs
Komponente
@nyariv/sandboxjs
Behoben in
0.8.35
0.8.34
CVE-2026-26954 describes a critical vulnerability in the @nyariv/sandboxjs library, allowing attackers to escape the sandbox environment. This escape is achieved by manipulating Function objects and leveraging Object.fromEntries to construct arbitrary properties. The vulnerability affects versions 0.8.33 and earlier of @nyariv/sandboxjs and has been resolved in version 0.8.34.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to bypass the intended security restrictions of the sandbox. By injecting Function objects and utilizing Object.fromEntries, an attacker can construct arbitrary objects with malicious properties. This could lead to the execution of arbitrary code within the context of the sandboxed environment, effectively compromising the application's security. The ability to execute arbitrary code within a sandbox circumvents security measures designed to isolate potentially untrusted code, making this a high-risk vulnerability.
This vulnerability was publicly disclosed on 2026-03-13. A proof-of-concept (PoC) demonstrating the sandbox escape is available, indicating a relatively low barrier to exploitation. While no active exploitation campaigns have been publicly reported, the availability of a PoC increases the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Applications utilizing @nyariv/sandboxjs to isolate untrusted code or user input are at significant risk. This includes web applications, desktop applications, and any environment where sandboxing is employed to enhance security. Projects relying on older versions of the library, particularly those with limited security monitoring, are especially vulnerable.
• nodejs / sandbox:
npm list @nyariv/sandboxjs• nodejs / sandbox: Check package.json for versions below 0.8.34. • nodejs / sandbox: Review application code for usage of @nyariv/sandboxjs and potential injection points.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26954 is to upgrade to version 0.8.34 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization to prevent the injection of potentially malicious Function objects. While a direct workaround is not available, carefully reviewing the code that utilizes the sandbox and ensuring it does not inadvertently expose Function objects can reduce the attack surface. After upgrading, verify the sandbox functionality by attempting to execute known malicious payloads within the sandboxed environment to confirm the vulnerability has been successfully addressed.
Aktualisieren Sie die SandboxJS-Bibliothek auf Version 0.8.34 oder höher. Dies behebt die Sandbox-Escape-Schwachstelle. Führen Sie `npm update sandboxjs` oder `yarn upgrade sandboxjs` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26954 is a critical vulnerability in @nyariv/sandboxjs allowing attackers to bypass sandbox restrictions through Function object manipulation, potentially leading to code execution.
You are affected if you are using @nyariv/sandboxjs versions 0.8.33 or earlier. Upgrade to 0.8.34 to resolve the issue.
Upgrade to @nyariv/sandboxjs version 0.8.34 or later. If immediate upgrade is not possible, implement stricter input validation.
While active exploitation is not confirmed, a public PoC exists, suggesting a potential for exploitation.
Refer to the @nyariv/sandboxjs project's repository and release notes for the official advisory and details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.