CVE-2026-25881

{"id": "CVE-2026-25881", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2026-02-09T22:16:03.423", "references": [{"url": "https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31."}, {"lang": "es", "value": "SandboxJS es una biblioteca de sandboxing de JavaScript. Antes de la versi\u00f3n 0.8.31, una vulnerabilidad de escape de sandbox permite que el c\u00f3digo en sandbox mute los prototipos integrados del host al blanquear la bandera de protecci\u00f3n 'isGlobal' a trav\u00e9s de intermediarios de literales de array. Cuando una referencia de prototipo global (por ejemplo, Map.prototype, Set.prototype) se coloca en un array y se recupera, la marca 'isGlobal' se elimina, permitiendo la mutaci\u00f3n directa del prototipo desde dentro del sandbox. Esto resulta en una contaminaci\u00f3n persistente de prototipos del lado del host y puede habilitar RCE en aplicaciones que usan propiedades contaminadas en sumideros sensibles (ejemplo de gadget: execSync(obj.cmd)). Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.8.31."}], "lastModified": "2026-02-18T18:07:12.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "626B7924-ECB8-4661-A9FA-3A12B095F1DE", "versionEndExcluding": "0.8.31"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}