CVE-2026-25587 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code, or code injection) affecting the nyariv SandboxJS library, a JavaScript sandboxing tool designed to safely execute untrusted code. The vulnerability exists in versions prior to 0.8.29 due to the inclusion of Map in the SAFE_PROTOTYPES list. This inclusion allows an attacker to access and overwrite Map.prototype.has, a fundamental method used internally by the Map object. By overwriting this method, an attacker can break out of the sandbox environment, effectively escaping the isolation intended by SandboxJS. This escape enables arbitrary code execution in the host environment with no privileges required (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward and highly impactful. The vulnerability affects confidentiality, integrity, and availability (all rated high), as attackers can run malicious code, manipulate data, or disrupt services. The issue was publicly disclosed on February 6, 2026, with a maximum CVSS score of 10. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make it a critical threat. The fix involves removing Map from SAFE_PROTOTYPES or otherwise preventing prototype pollution and method overwriting, which was implemented in version 0.8.29.

For European organizations, the impact of this vulnerability is severe. Many enterprises and service providers rely on JavaScript sandboxing libraries like SandboxJS to safely execute third-party or user-generated scripts, especially in cloud services, SaaS platforms, and web applications. Successful exploitation allows attackers to escape sandbox restrictions, leading to full remote code execution on the host system. This can result in data breaches, unauthorized access to sensitive information, service disruption, and potential lateral movement within networks. The critical nature of the vulnerability means that any unpatched system is at high risk of compromise. Given the widespread use of JavaScript and sandboxing in modern web infrastructure, the threat could affect sectors such as finance, healthcare, government, and technology companies across Europe. Additionally, the lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of automated exploitation attempts.

1. Immediate upgrade to SandboxJS version 0.8.29 or later, where the vulnerability is fixed. 2. Audit all applications and services using SandboxJS to identify vulnerable versions. 3. Implement strict Content Security Policies (CSP) to limit the execution of untrusted scripts and reduce attack surface. 4. Employ runtime application self-protection (RASP) tools that can detect and block sandbox escape attempts. 5. Review and harden sandbox configurations to exclude unsafe prototypes or methods from exposure. 6. Monitor logs and network traffic for unusual behavior indicative of sandbox escape or code injection attempts. 7. Educate developers on secure use of sandboxing libraries and the risks of prototype pollution. 8. Consider additional isolation layers such as containerization or virtual machines for executing untrusted code. 9. Engage in threat hunting exercises focused on detecting exploitation attempts targeting SandboxJS environments.