प्लेटफ़ॉर्म
nodejs
घटक
@nyariv/sandboxjs
में ठीक किया गया
0.8.30
0.8.29
CVE-2026-25587 describes a critical prototype pollution vulnerability discovered in the @nyariv/sandboxjs JavaScript library. This flaw allows attackers to escape the intended sandbox environment by manipulating the Map.prototype.has method, potentially leading to arbitrary code execution. The vulnerability impacts versions of @nyariv/sandboxjs released before version 0.8.29, and a patch is available.
Successful exploitation of CVE-2026-25587 enables an attacker to bypass the intended security restrictions of the @nyariv/sandboxjs library. The sandbox is designed to isolate untrusted code, but this prototype pollution vulnerability allows attackers to inject malicious code into the global scope or modify existing objects within the application. This can lead to arbitrary code execution, data breaches, and complete compromise of the affected system. The vulnerability's effectiveness stems from the inconsistent behavior of let and const when accessing Map.prototype, allowing for prototype manipulation.
CVE-2026-25587 is related to CVE-2026-25142, sharing a similar exploitation pattern. Public proof-of-concept code is available, indicating a relatively low barrier to entry for attackers. The vulnerability was publicly disclosed on 2026-02-05. While no active exploitation campaigns have been confirmed, the critical severity and availability of a PoC suggest a high probability of exploitation if left unpatched.
Applications utilizing @nyariv/sandboxjs to isolate untrusted code are at significant risk. This includes web applications, desktop applications, and any environment where JavaScript code is executed within a sandboxed environment. Projects relying on older versions of the library, particularly those with limited security monitoring, are especially vulnerable.
• nodejs / supply-chain:
npm list @nyariv/sandboxjs• nodejs / supply-chain:
npm audit @nyariv/sandboxjs• generic web: Inspect application code for usage of @nyariv/sandboxjs and any user-controlled data being used to modify Map objects.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-25587 is to immediately upgrade to version 0.8.29 or later of the @nyariv/sandboxjs library. If upgrading is not immediately feasible, consider implementing a temporary workaround by strictly validating and sanitizing any user-supplied data that could potentially influence the Map object. Additionally, implement runtime checks to detect unexpected modifications to Map.prototype.has. After upgrading, confirm the fix by attempting to trigger the prototype pollution vulnerability with a known payload and verifying that the sandbox remains intact.
Actualice la biblioteca SandboxJS a la versión 0.8.29 o superior. Esta versión corrige la vulnerabilidad de escape de sandbox al evitar la manipulación del prototipo de Map. Para actualizar, use el administrador de paquetes correspondiente (por ejemplo, npm o yarn) e instale la versión más reciente.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-25587 is a critical prototype pollution vulnerability in @nyariv/sandboxjs that allows attackers to escape the sandbox by manipulating Map.prototype.has, potentially leading to code execution.
You are affected if you are using @nyariv/sandboxjs versions prior to 0.8.29. Assess your project dependencies immediately.
Upgrade to version 0.8.29 or later of @nyariv/sandboxjs. If immediate upgrade is not possible, implement temporary workarounds like input validation.
While no active exploitation campaigns have been confirmed, the critical severity and availability of a PoC suggest a high probability of exploitation.
Refer to the @nyariv/sandboxjs project repository and related security advisories for the latest information and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।