CVE-2026-25641 is a critical vulnerability in the SandboxJS library, a JavaScript sandboxing tool designed to isolate and safely execute untrusted code. The vulnerability is a Time-of-check to time-of-use (TOCTOU) race condition categorized under CWE-367. It occurs because the key used during the validation phase (using hasOwnProperty(key)) differs from the key used during actual property access due to the lack of strict enforcement of the key's string type. Attackers can exploit this by passing specially crafted malicious objects that coerce to different string values at validation and access times, effectively bypassing the sandbox's security checks. This sandbox escape allows malicious code to break out of the restricted environment, potentially executing arbitrary code or accessing sensitive data outside the sandbox. The flaw affects all versions of SandboxJS prior to 0.8.29, where the issue has been fixed. The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical nature with network attack vector, no required privileges or user interaction, and complete impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the severity and nature of the vulnerability make it a high priority for patching.

For European organizations, the impact of this vulnerability can be severe, especially for those relying on SandboxJS to securely execute untrusted JavaScript code in web applications, cloud services, or development tools. A successful exploit could lead to sandbox escape, allowing attackers to execute arbitrary code on the host system, access sensitive data, or disrupt service availability. This could result in data breaches, intellectual property theft, service downtime, and reputational damage. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often use sandboxing for security isolation, are particularly at risk. The critical severity and ease of exploitation without authentication mean that attackers can remotely compromise vulnerable systems, increasing the threat landscape. Additionally, the vulnerability could be leveraged as a stepping stone for more complex attacks within European networks, amplifying its impact.

The primary mitigation is to upgrade all instances of SandboxJS to version 0.8.29 or later, where the vulnerability is patched. Organizations should conduct an inventory of their software dependencies to identify any use of vulnerable SandboxJS versions. In addition to patching, developers should review sandbox implementation configurations to ensure strict type enforcement on keys and validate inputs rigorously. Employ runtime monitoring and anomaly detection to identify suspicious behavior indicative of sandbox escape attempts. Where possible, implement defense-in-depth by isolating sandboxed environments at the OS or container level to limit potential damage from escapes. Regularly update and audit third-party libraries and dependencies to prevent similar vulnerabilities. Finally, educate development teams about TOCTOU race conditions and secure coding practices to reduce the risk of introducing such flaws.