CVE-2026-25586— SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25586
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution
Source: NVD (National Vulnerability Database)
Vulnerability Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SandboxJS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SandboxJS是nyariv个人开发者的一个安全评估软件。 SandboxJS 0.8.29之前版本存在安全漏洞,该漏洞源于通过在沙箱对象上遮蔽hasOwnProperty可导致沙箱逃逸,从而禁用属性访问路径中的原型白名单强制执行,允许直接访问__proto__和其他被阻止的原型属性,可能导致主机Object.prototype污染和持久的跨沙箱影响。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2026-25586
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25586
请登录查看更多情报信息。
Same Patch Batch · nyariv · 2026-02-06 · 4 CVEs total
| CVE-2026-25641 | 10.0 CRITICAL | SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses |
| CVE-2026-25520 | 10.0 CRITICAL | SandboxJS has a Sandbox Escape |
| CVE-2026-25587 | 10.0 CRITICAL | SandboxJS has a Sandbox Escape |
IV. Related Vulnerabilities
Same product: SandboxJS
- CVE-2026-34217
SandboxJS has a Sandbox Escape via Prop Object Leak in New H - CVE-2026-34211
SandboxJS: Stack overflow DoS via deeply nested expressions - CVE-2026-34208
SandboxJS: Sandbox integrity escape - CVE-2026-32723
SandboxJS timers have an execution-quota bypass (cross-sandb - CVE-2026-26954
SandboxJS has a Sandbox Escape
Same vendor: nyariv
- CVE-2026-34217
SandboxJS has a Sandbox Escape via Prop Object Leak in New H - CVE-2026-34211
SandboxJS: Stack overflow DoS via deeply nested expressions - CVE-2026-34208
SandboxJS: Sandbox integrity escape - CVE-2026-32723
SandboxJS timers have an execution-quota bypass (cross-sandb - CVE-2026-26954
SandboxJS has a Sandbox Escape
Same weakness: CWE-74
- CVE-2025-67486
Dolibarr has an Authenticated Remote Code Execution via eval - CVE-2026-26164
M365 Copilot Information Disclosure Vulnerability - CVE-2026-7045
baomidou dynamic-datasource StandardEvaluationContext/SpelEx - CVE-2026-6994
Envoy Query Parameter header_mutation.cc params.add injectio - CVE-2026-41319
MailKit has STARTTLS Response Injection via unflushed stream
V. Comments for CVE-2026-25586
No comments yet