Plateforme
nodejs
Composant
@nyariv/sandboxjs
Corrigé dans
0.8.28
0.8.27
CVE-2026-25142 is a critical Remote Code Execution (RCE) vulnerability affecting the @nyariv/sandboxjs JavaScript library. This flaw stems from inadequate restrictions on the lookupGetter function, enabling attackers to potentially escape the sandbox environment and execute arbitrary code. The vulnerability impacts applications utilizing @nyariv/sandboxjs versions prior to 0.8.27 and a fix is available in version 0.8.27.
The core of this vulnerability lies in the improper handling of lookupGetter within the SandboxJS library. SandboxJS is designed to provide a secure environment for executing untrusted code. However, the flaw allows an attacker to bypass the intended security measures by accessing prototypes and manipulating the object model. This can lead to complete control over the application's execution context. A successful exploit could allow an attacker to read sensitive data, modify application behavior, or even gain remote access to the underlying system. The potential impact is significant, particularly in scenarios where SandboxJS is used to execute user-provided code or interact with external resources.
This vulnerability was publicly disclosed on 2026-02-02. A proof-of-concept (PoC) demonstrating the exploitation of this vulnerability is publicly available on GitHub. The CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. While no active campaigns have been publicly reported, the availability of a PoC increases the risk of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
Applications utilizing @nyariv/sandboxjs for sandboxing or isolating untrusted code are at significant risk. This includes web applications, desktop applications, and any environment where user-provided code is executed within a controlled environment. Developers relying on SandboxJS for security should prioritize upgrading to the patched version.
• nodejs / supply-chain:
npm list @nyariv/sandboxjs• nodejs / supply-chain:
npm audit @nyariv/sandboxjs• nodejs / supply-chain:
grep -r "__lookupGetter__" node_modules/@nyariv/sandboxjs/disclosure
poc
patch
Statut de l'Exploit
EPSS
0.21% (percentile 43%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-25142 is to immediately upgrade to version 0.8.27 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing runtime checks to restrict access to sensitive prototype properties. While not a complete solution, this can reduce the attack surface. Additionally, review any code that utilizes SandboxJS to ensure it does not inadvertently expose sensitive data or functionality. After upgrading, confirm the fix by attempting to trigger the vulnerable code path and verifying that the sandbox restrictions are properly enforced.
Mettez à jour la bibliothèque SandboxJS à la version 0.8.27 ou supérieure. Cette version corrige la vulnérabilité de (prototype pollution) qui permet l'exécution de code à distance. Pour mettre à jour, utilisez le gestionnaire de paquets npm : `npm install sandboxjs@latest`.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25142 is a critical Remote Code Execution vulnerability in the @nyariv/sandboxjs library, allowing attackers to escape the sandbox and execute arbitrary code.
You are affected if your application uses @nyariv/sandboxjs versions prior to 0.8.27. Check your project dependencies immediately.
Upgrade to version 0.8.27 or later of @nyariv/sandboxjs. If immediate upgrade is not possible, implement runtime checks to restrict prototype access.
While no active campaigns have been confirmed, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the @nyariv/sandboxjs GitHub repository for updates and advisories related to CVE-2026-25142.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.