High severityNVD Advisory· Published Jul 31, 2025· Updated Apr 15, 2026
CVE-2025-34146
CVE-2025-34146
Description
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nyariv/sandboxjsnpm | < 0.8.24 | 0.8.24 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9qm3-6qrr-c76mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-34146ghsaADVISORY
- gist.github.com/Hagrid29/9df27829a491080f923c4f6b8518d7e3nvdWEB
- github.com/nyariv/SandboxJS/issues/31nvdWEB
- www.npmjs.com/package/@nyariv/sandboxjsnvdWEB
- www.vulncheck.com/advisories/nyariv-sandboxjs-prototype-pollution-sandbox-escape-dosnvdWEB
News mentions
0No linked articles in our index yet.