CVE-2026-25586 — AI Deep Analysis Summary

🚨 **Essence**: SandboxJS < 0.8.29 has a **Sandbox Escape** flaw. 🛑 **Consequences**: Attackers bypass security controls, pollute `Object.prototype`, and cause persistent cross-sandbox damage. 💥

🔍 **Root Cause**: **CWE-74** (Improper Neutralization). The flaw stems from **masking `hasOwnProperty`** on the sandbox object.…

👥 **Affected**: **SandboxJS** by developer **nyariv**. 📦 **Version**: All versions **prior to 0.8.29**. ⚠️

💀 **Attacker Capabilities**: Full **Privilege Escalation** within the sandbox. They can access **`__proto__`**, pollute global objects, and execute **Cross-Sandbox Attacks**. 🌐

📉 **Exploitation Threshold**: **LOW**. CVSS indicates **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges), **UI:N** (No User Interaction). Easy to exploit remotely! 🚀

📂 **Public Exploit**: **No**. The `pocs` field is empty. 🚫 While the flaw is clear, no public PoC or wild exploitation code is currently available. 🕵️

🔎 **Self-Check**: Scan for **SandboxJS** installations. Check version numbers. Look for usage of `hasOwnProperty` without proper isolation in custom sandbox implementations. 🧪

✅ **Fixed**: **Yes**. Patched in **version 0.8.29**. 🛠️ Reference: GitHub commit `67cb186` and GHSA advisory `GHSA-jjpw-65fv-8g48`. 🔗

🛡️ **No Patch Workaround**: **Not Recommended**. Since it allows prototype pollution, temporary mitigations are risky. **Upgrade immediately** if possible. If stuck, isolate the environment strictly. 🧱

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.8+). Network-accessible, no auth needed, and causes severe data integrity issues. Patch NOW! ⏳