CVE-2026-25142 — AI Deep Analysis Summary

🚨 **Essence**: SandboxJS < 0.8.27 suffers from **Code Injection** via improper restriction of `__lookupGetter__`.…

🛡️ **Root Cause**: **CWE-94** (Code Injection). The core flaw is the failure to properly restrict the `__lookupGetter__` method. This oversight creates a backdoor for malicious code to escape the isolated environment.

👥 **Affected**: **SandboxJS** by developer **nyariv**. Specifically, all versions **prior to 0.8.27**. If you are running an older version of this security assessment tool, you are vulnerable.

💀 **Attacker Capabilities**: Hackers can achieve **Sandbox Escape**. This grants them the ability to execute arbitrary code remotely.…

🔓 **Exploitation Threshold**: **LOW**. The CVSS vector indicates **Network** accessible, **Low** complexity, and **No** privileges or user interaction required. It is a critical, easy-to-exploit vulnerability.

📦 **Public Exploit**: Currently, the **PoCs list is empty** in the provided data. However, given the low exploitation threshold, proof-of-concept code is likely emerging or easily derivable from the technical details.

🔍 **Self-Check**: Check your installed version of **SandboxJS**. If the version number is **less than 0.8.27**, you are affected. Look for usage of `__lookupGetter__` in custom scripts if you are the developer.

✅ **Official Fix**: **Yes**. The vulnerability has been addressed. Refer to the GitHub commit `75c8009` and the security advisory `GHSA-9p4w-fq8m-2hp7` for the official patch details.

🚧 **No Patch Workaround**: If you cannot upgrade immediately, **disable** the SandboxJS service if not essential. Strictly **sanitize inputs** and avoid executing untrusted scripts that might leverage `__lookupGetter__`.

⚡ **Urgency**: **CRITICAL**. With a CVSS score indicating High impact and Low exploitation difficulty, you must **patch immediately** to version 0.8.27 or later to prevent potential RCE attacks.