CVE-2026-25586

SandboxJS and Affected Versions SandboxJS versions prior to 0.8.29

Description SandboxJS, a JavaScript sandboxing library, is susceptible to a sandbox escape issue. This occurs because of the ability to shadow the hasOwnProperty method on a sandbox object, which disables prototype whitelist enforcement during property access. This allows direct access to blocked prototype properties like proto, potentially leading to host Object.prototype pollution and cross-sandbox impact. The issue was reproducible on Node v23.9.0. The root cause is the direct use of a.hasOwnProperty(b) within the prototypeAccess function, which can be controlled by an attacker if the sandboxed object shadows hasOwnProperty. This bypasses whitelist checks. The vulnerability can be exploited to achieve remote code execution (RCE) through host gadget exploitation and prototype pollution. Specifically, the hasOwnProperty bypass allows for the mutation of Object.prototype, potentially leading to the execution of arbitrary commands.

Recommendations Update SandboxJS to version 0.8.29 or later.