Platform
nodejs
Component
@nyariv/sandboxjs
Fixed in
0.8.35
0.8.34
CVE-2026-26954 describes a critical vulnerability in the @nyariv/sandboxjs library, allowing attackers to escape the sandbox environment. This escape is achieved by manipulating Function objects and leveraging Object.fromEntries to construct arbitrary properties. The vulnerability affects versions 0.8.33 and earlier of @nyariv/sandboxjs and has been resolved in version 0.8.34.
The ability to escape the sandbox in @nyariv/sandboxjs presents a significant security risk. An attacker who successfully exploits this vulnerability can bypass the intended security restrictions of the sandbox, potentially executing arbitrary code within the application's context. This could lead to data breaches, unauthorized access to sensitive resources, and complete compromise of the affected system. The impact is particularly severe if the sandbox is used to isolate untrusted code or user input, as it effectively nullifies the security benefits of sandboxing.
This vulnerability was publicly disclosed on March 13, 2026. A proof-of-concept (PoC) demonstrating the sandbox escape is available, indicating a relatively low barrier to exploitation. The vulnerability's severity (CVSS 10) and the availability of a PoC suggest a medium probability of exploitation. It is not currently listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26954 is to upgrade to @nyariv/sandboxjs version 0.8.34 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization to minimize the potential for malicious code to be injected into the sandbox. While a direct workaround is not available, carefully review any code utilizing the sandbox and ensure it adheres to secure coding practices. After upgrading, confirm the fix by attempting to execute a payload designed to exploit the sandbox escape and verifying that it is blocked.
Update the SandboxJS library to version 0.8.34 or higher. This will fix the sandbox escape vulnerability. Run `npm update sandboxjs` or `yarn upgrade sandboxjs` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26954 is a critical vulnerability in @nyariv/sandboxjs allowing attackers to bypass sandbox restrictions through Function object manipulation, potentially leading to code execution.
You are affected if you are using @nyariv/sandboxjs versions 0.8.33 or earlier. Upgrade to 0.8.34 to resolve the issue.
Upgrade to @nyariv/sandboxjs version 0.8.34 or later. If immediate upgrade is not possible, implement stricter input validation.
While active exploitation is not confirmed, a public PoC exists, suggesting a potential for exploitation.
Refer to the @nyariv/sandboxjs project's repository and release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.