CVE-2026-25142 | THREATINT

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.

PUBLISHED Reserved 2026-01-29 | Published 2026-02-02 | Updated 2026-02-04 | Assigner GitHub_M

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 0.8.27

affected

References

github.com/...dboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7

github.com/...ommit/75c8009db32e6829b0ad92ca13bf458178442bd3

github.com/...a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts

cve.org (CVE-2026-25142)

nvd.nist.gov (CVE-2026-25142)

Download JSON