CVE-2026-25142: CWE-94: Improper Control of Generation of Code ('Code Injection') in nyariv SandboxJS
CVE-2026-25142 is a critical code injection vulnerability in the SandboxJS JavaScript sandboxing library versions prior to 0. 8. 27. The flaw arises from improper restriction of the __lookupGetter__ method, which attackers can exploit to access prototypes and escape the sandbox environment, leading to remote code execution without requiring authentication or user interaction. This vulnerability has a CVSS score of 10, indicating maximum severity with full confidentiality, integrity, and availability impact. Although no known exploits are currently reported in the wild, the risk is high due to the ease of exploitation and the potential for complete system compromise. European organizations using vulnerable versions of SandboxJS in web applications or services are at significant risk, especially those in sectors relying heavily on JavaScript sandboxing for security. Mitigation requires immediate upgrading to SandboxJS version 0. 8. 27 or later and auditing dependent applications for usage of the vulnerable versions.
AI Analysis
Technical Summary
CVE-2026-25142 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the SandboxJS library, a JavaScript sandboxing tool designed to isolate and safely execute untrusted code. Prior to version 0.8.27, SandboxJS fails to properly restrict the __lookupGetter__ method, a JavaScript feature that allows access to property getters on objects, including those on prototypes. By exploiting this, an attacker can retrieve prototype objects and manipulate them to escape the sandbox environment. Escaping the sandbox effectively breaks the isolation guarantees, enabling remote code execution (RCE) on the host environment. The vulnerability requires no privileges or user interaction, making it trivially exploitable over the network. The CVSS 3.1 base score of 10 reflects the vulnerability’s critical nature, with attack vector being network-based, low attack complexity, no privileges required, no user interaction, and a scope change that affects components beyond the sandbox. The impact on confidentiality, integrity, and availability is total, as attackers can execute arbitrary code, potentially taking full control of affected systems. Although no public exploits are reported yet, the vulnerability’s characteristics make it a prime target for attackers once weaponized. The fix was introduced in SandboxJS version 0.8.27, which properly restricts __lookupGetter__ to prevent prototype access and sandbox escape.
Potential Impact
For European organizations, the impact of CVE-2026-25142 can be severe. Organizations using SandboxJS in web applications, cloud services, or embedded systems risk full system compromise if they run vulnerable versions. The vulnerability allows attackers to bypass sandbox protections, leading to remote code execution, data theft, service disruption, and potential lateral movement within networks. Critical infrastructure providers, financial institutions, and technology companies relying on JavaScript sandboxing for secure code execution are particularly vulnerable. Exploitation could result in loss of sensitive data, operational downtime, reputational damage, and regulatory penalties under GDPR due to inadequate security controls. The ease of exploitation and lack of required authentication increase the threat level, making timely patching essential to prevent widespread attacks. Additionally, the vulnerability could be leveraged in supply chain attacks if SandboxJS is embedded in third-party libraries or services used by European enterprises.
Mitigation Recommendations
Immediate mitigation involves upgrading all instances of SandboxJS to version 0.8.27 or later, where the vulnerability is fixed. Organizations should conduct an inventory of applications and services using SandboxJS to identify vulnerable versions. Where upgrading is not immediately feasible, implement strict input validation and sandbox usage restrictions to limit exposure. Employ runtime monitoring and anomaly detection to identify suspicious sandbox escape attempts, such as unusual prototype access or unexpected code execution patterns. Review and harden JavaScript execution environments by disabling or restricting dangerous object prototype manipulations where possible. Engage in secure software development practices to avoid reliance on vulnerable sandboxing libraries and consider alternative sandboxing solutions with proven security records. Finally, maintain up-to-date threat intelligence feeds to monitor for emerging exploits targeting this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2026-25142: CWE-94: Improper Control of Generation of Code ('Code Injection') in nyariv SandboxJS
Description
CVE-2026-25142 is a critical code injection vulnerability in the SandboxJS JavaScript sandboxing library versions prior to 0. 8. 27. The flaw arises from improper restriction of the __lookupGetter__ method, which attackers can exploit to access prototypes and escape the sandbox environment, leading to remote code execution without requiring authentication or user interaction. This vulnerability has a CVSS score of 10, indicating maximum severity with full confidentiality, integrity, and availability impact. Although no known exploits are currently reported in the wild, the risk is high due to the ease of exploitation and the potential for complete system compromise. European organizations using vulnerable versions of SandboxJS in web applications or services are at significant risk, especially those in sectors relying heavily on JavaScript sandboxing for security. Mitigation requires immediate upgrading to SandboxJS version 0. 8. 27 or later and auditing dependent applications for usage of the vulnerable versions.
AI-Powered Analysis
Technical Analysis
CVE-2026-25142 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the SandboxJS library, a JavaScript sandboxing tool designed to isolate and safely execute untrusted code. Prior to version 0.8.27, SandboxJS fails to properly restrict the __lookupGetter__ method, a JavaScript feature that allows access to property getters on objects, including those on prototypes. By exploiting this, an attacker can retrieve prototype objects and manipulate them to escape the sandbox environment. Escaping the sandbox effectively breaks the isolation guarantees, enabling remote code execution (RCE) on the host environment. The vulnerability requires no privileges or user interaction, making it trivially exploitable over the network. The CVSS 3.1 base score of 10 reflects the vulnerability’s critical nature, with attack vector being network-based, low attack complexity, no privileges required, no user interaction, and a scope change that affects components beyond the sandbox. The impact on confidentiality, integrity, and availability is total, as attackers can execute arbitrary code, potentially taking full control of affected systems. Although no public exploits are reported yet, the vulnerability’s characteristics make it a prime target for attackers once weaponized. The fix was introduced in SandboxJS version 0.8.27, which properly restricts __lookupGetter__ to prevent prototype access and sandbox escape.
Potential Impact
For European organizations, the impact of CVE-2026-25142 can be severe. Organizations using SandboxJS in web applications, cloud services, or embedded systems risk full system compromise if they run vulnerable versions. The vulnerability allows attackers to bypass sandbox protections, leading to remote code execution, data theft, service disruption, and potential lateral movement within networks. Critical infrastructure providers, financial institutions, and technology companies relying on JavaScript sandboxing for secure code execution are particularly vulnerable. Exploitation could result in loss of sensitive data, operational downtime, reputational damage, and regulatory penalties under GDPR due to inadequate security controls. The ease of exploitation and lack of required authentication increase the threat level, making timely patching essential to prevent widespread attacks. Additionally, the vulnerability could be leveraged in supply chain attacks if SandboxJS is embedded in third-party libraries or services used by European enterprises.
Mitigation Recommendations
Immediate mitigation involves upgrading all instances of SandboxJS to version 0.8.27 or later, where the vulnerability is fixed. Organizations should conduct an inventory of applications and services using SandboxJS to identify vulnerable versions. Where upgrading is not immediately feasible, implement strict input validation and sandbox usage restrictions to limit exposure. Employ runtime monitoring and anomaly detection to identify suspicious sandbox escape attempts, such as unusual prototype access or unexpected code execution patterns. Review and harden JavaScript execution environments by disabling or restricting dangerous object prototype manipulations where possible. Engage in secure software development practices to avoid reliance on vulnerable sandboxing libraries and consider alternative sandboxing solutions with proven security records. Finally, maintain up-to-date threat intelligence feeds to monitor for emerging exploits targeting this vulnerability.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-29T15:39:11.820Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69813006f9fa50a62f63a40f
Added to database: 2/2/2026, 11:15:18 PM
Last enriched: 2/2/2026, 11:29:26 PM
Last updated: 2/3/2026, 4:08:12 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-67482: Vulnerability in Wikimedia Foundation Scribunto
LowCVE-2025-58383: CWE-250: Execution with Unnecessary Privileges in Brocade Fabric OS
HighCVE-2025-58382: CWE-305: Authentication Bypass by Primary Weakness in Brocade Fabric OS
HighCVE-2025-58379: CWE-250 Execution with Unnecessary Privileges in Brocade Fabric OS
MediumCVE-2025-12774: CWE-312 Cleartext Storage of Sensitive Information in Brocade SANnav
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.