CVE-2026-25881

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.31

Description SandboxJS is a JavaScript sandboxing library with a flaw that allows sandboxed code to modify host built-in prototypes. This is achieved by removing a protection flag through array literal intermediaries, enabling direct prototype mutation from within the sandbox. This prototype pollution can lead to remote code execution in applications that utilize these polluted properties in sensitive operations, such as using execSync(obj.cmd). The issue stems from the improper handling of the isGlobal taint flag when retrieving global prototype references from arrays.

Recommendations Update SandboxJS to version 0.8.31 or later.