Platform
nodejs
Component
@nyariv/sandboxjs
Fixed in
0.8.30
0.8.29
CVE-2026-25587 describes a critical prototype pollution vulnerability discovered in the @nyariv/sandboxjs JavaScript library. This flaw allows attackers to escape the intended sandbox environment by manipulating the Map.prototype.has method, potentially leading to arbitrary code execution. The vulnerability impacts versions of @nyariv/sandboxjs released before version 0.8.29, and a patch is available.
Successful exploitation of CVE-2026-25587 enables an attacker to bypass the intended security restrictions of the @nyariv/sandboxjs library. The sandbox is designed to isolate untrusted code, but this prototype pollution vulnerability allows attackers to inject malicious code into the global scope or modify existing objects within the application. This can lead to arbitrary code execution, data breaches, and complete compromise of the affected system. The vulnerability's effectiveness stems from the inconsistent behavior of let and const when accessing Map.prototype, allowing for prototype manipulation.
CVE-2026-25587 is related to CVE-2026-25142, sharing a similar exploitation pattern. Public proof-of-concept code is available, indicating a relatively low barrier to entry for attackers. The vulnerability was publicly disclosed on 2026-02-05. While no active exploitation campaigns have been confirmed, the critical severity and availability of a PoC suggest a high probability of exploitation if left unpatched.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25587 is to immediately upgrade to version 0.8.29 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible, consider implementing a temporary workaround by strictly validating and sanitizing any user-supplied data that could potentially influence the Map object. Additionally, implement runtime checks to detect unexpected modifications to Map.prototype.has. After upgrading, confirm the fix by attempting to trigger the prototype pollution vulnerability with a known payload and verifying that the sandbox remains intact.
Update the SandboxJS library to version 0.8.29 or higher. This version fixes the sandbox escape vulnerability by preventing manipulation of the Map prototype. To update, use the corresponding package manager (e.g., npm or yarn) and install the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25587 is a critical prototype pollution vulnerability in @nyariv/sandboxjs that allows attackers to escape the sandbox by manipulating Map.prototype.has, potentially leading to code execution.
You are affected if you are using @nyariv/sandboxjs versions prior to 0.8.29. Assess your project dependencies immediately.
Upgrade to version 0.8.29 or later of @nyariv/sandboxjs. If immediate upgrade is not possible, implement temporary workarounds like input validation.
While no active exploitation campaigns have been confirmed, the critical severity and availability of a PoC suggest a high probability of exploitation.
Refer to the @nyariv/sandboxjs project repository and related security advisories for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.