VYPR
Critical severityOSV Advisory· Published Feb 2, 2026· Updated Feb 4, 2026

SandboxJS Prototype Pollution -> Sandbox Escape -> RCE

CVE-2026-25142

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@nyariv/sandboxjsnpm
< 0.8.270.8.27

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.