SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
References
| Link | Resource |
|---|---|
| https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 | Patch |
| https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 | Exploit Vendor Advisory |
| https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 | Exploit Vendor Advisory |
Configurations
History
18 Feb 2026, 14:33
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Nyariv sandboxjs
Nyariv |
|
| References | () https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 - Patch | |
| References | () https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:* |
06 Feb 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 - |
06 Feb 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-06 20:16
Updated : 2026-02-18 14:33
NVD link : CVE-2026-25520
Mitre link : CVE-2026-25520
CVE.ORG link : CVE-2026-25520
JSON object : View
Products Affected
nyariv
- sandboxjs
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')