CVE-2026-25520 is a critical vulnerability identified in the JavaScript sandboxing library SandboxJS, specifically in versions prior to 0.8.29. SandboxJS aims to isolate JavaScript code execution to prevent malicious scripts from escaping the sandbox. However, the vulnerability stems from improper neutralization of special elements in output used by downstream components (CWE-74). The core issue is that the return values of functions executed inside the sandbox are not wrapped or sanitized properly. Attackers can exploit this by using Object.values or Object.entries to retrieve an array containing the host environment's Function constructor. Leveraging Array.prototype.at, an attacker can access this constructor and execute arbitrary JavaScript code outside the sandbox boundaries. This results in a complete bypass of the sandbox restrictions, allowing remote code execution (RCE) on the host system. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 10.0, reflecting the highest severity due to its impact on confidentiality, integrity, and availability, ease of exploitation, and scope of affected systems. The issue was reserved on 2026-02-02 and published on 2026-02-06. Although no known exploits are reported in the wild yet, the critical nature of this flaw demands urgent attention. The vulnerability is fixed in SandboxJS version 0.8.29, which properly wraps return values to prevent access to the host's Function constructor.

For European organizations, this vulnerability poses a severe risk, especially those relying on SandboxJS for secure JavaScript execution in web applications, cloud services, or embedded systems. Exploitation can lead to full remote code execution, allowing attackers to execute arbitrary commands, steal sensitive data, manipulate application logic, or disrupt services. This could result in data breaches, service outages, and loss of trust. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitive nature of their data and operations. The vulnerability's network exploitable nature means attackers can compromise systems without prior access or user interaction, increasing the likelihood of widespread impact if unpatched. Additionally, the sandbox bypass undermines any security guarantees provided by SandboxJS, potentially exposing other internal systems and networks to compromise.

1. Immediately upgrade all instances of SandboxJS to version 0.8.29 or later, where the vulnerability is fixed. 2. Audit all applications and services to identify usage of SandboxJS and verify the version in use. 3. Implement runtime monitoring and anomaly detection to identify suspicious JavaScript execution patterns indicative of sandbox escapes. 4. Employ defense-in-depth by restricting network access and privileges of services using SandboxJS to limit potential damage from exploitation. 5. Review and harden Content Security Policies (CSP) to reduce the risk of malicious script injection. 6. Conduct penetration testing focused on sandbox escape techniques to validate the effectiveness of mitigations. 7. Stay informed on any emerging exploits or patches related to this vulnerability. 8. For environments where immediate patching is not feasible, consider disabling or isolating SandboxJS usage temporarily until patched.