Platform
javascript
Component
cohere-terrarium
Fixed in
1.0.2
CVE-2026-5752 describes a critical sandbox escape vulnerability discovered in cohere-terrarium versions 1.0.0 through 1.0.1. This flaw enables an attacker to execute arbitrary code with root privileges on the host process, effectively bypassing the intended security boundaries of the Terrarium sandbox. The vulnerability stems from a JavaScript prototype chain traversal issue. A fix is available in version 1.0.2.
The impact of CVE-2026-5752 is severe. Successful exploitation allows an attacker to gain root-level access to the host system. This means they can execute arbitrary commands, install malware, steal sensitive data, and potentially compromise the entire infrastructure. The sandbox escape bypasses the intended isolation of Terrarium, making it a particularly dangerous vulnerability. Attackers could leverage this to pivot to other systems within the network, leading to widespread data breaches and system disruption. The ability to execute code with root privileges significantly expands the attack surface and increases the potential for catastrophic damage.
CVE-2026-5752 was publicly disclosed on 2026-04-14. The vulnerability's nature, allowing arbitrary code execution with root privileges, suggests a potentially high exploitation probability. While no public proof-of-concept (PoC) has been released as of this writing, the severity of the vulnerability and the ease of exploitation (prototype chain traversal) make it a likely target for exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
The primary mitigation for CVE-2026-5752 is to immediately upgrade cohere-terrarium to version 1.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization within the Terrarium environment to limit the potential for prototype chain traversal. While not a complete solution, this can reduce the attack surface. Monitor JavaScript execution within the Terrarium sandbox for unusual behavior or attempts to access restricted resources. Review and update security policies to restrict the privileges granted to Terrarium processes. After upgrading, confirm the fix by attempting to trigger the prototype chain traversal vulnerability and verifying that it is no longer exploitable.
Update to version 1.0.2 or later to mitigate the sandbox escape vulnerability. This update addresses the possibility of arbitrary code execution with root privileges through JavaScript prototype chain manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5752 is a sandbox escape vulnerability in cohere-terrarium versions 1.0.0–1.0.1, allowing attackers to execute arbitrary code with root privileges through JavaScript prototype chain traversal.
You are affected if you are using cohere-terrarium versions 1.0.0 through 1.0.1. Upgrade to version 1.0.2 or later to mitigate the risk.
Upgrade cohere-terrarium to version 1.0.2 or later. If immediate upgrade is not possible, implement stricter input validation and monitor sandbox execution.
While no active exploitation has been confirmed, the vulnerability's severity and potential for easy exploitation make it a likely target.
Refer to the official cohere-terrarium project website or security mailing list for the advisory related to CVE-2026-5752.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.