CVE-2026-25520

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.29

Description SandboxJS is a JavaScript sandboxing library affected by an issue where the return values of functions are not properly wrapped. This allows attackers to use Object.values or Object.entries to obtain an array containing the host's Function constructor. By utilizing Array.prototype.at, the host's Function constructor can be accessed, enabling the execution of arbitrary code outside of the sandbox. The provided proof-of-concept code demonstrates how to leverage this to execute commands like 'ls -lah' using the child process module. The vulnerability allows for sandbox escape, potentially leading to remote code execution (RCE).

Recommendations Versions prior to 0.8.29 should be updated to version 0.8.29 or later.