Critical severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026
SandboxJS has a Sandbox Escape
CVE-2026-25587
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nyariv/sandboxjsnpm | < 0.8.29 | 0.8.29 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-66h4-qj4x-38xpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25587ghsaADVISORY
- github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3ghsax_refsource_MISCWEB
- github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.