CVE-2026-25641 in SandboxJS
Summary
by MITRE • 02/06/2026
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2026-25641 affects SandboxJS, a JavaScript sandboxing library designed to provide secure execution environments for untrusted code. This issue represents a critical sandbox escape flaw that undermines the fundamental security guarantees of the library. The vulnerability stems from a fundamental mismatch in how property keys are validated versus how they are subsequently accessed within the sandboxed environment. The flaw exists in versions prior to 0.8.29, making all earlier releases susceptible to exploitation by malicious actors who understand the underlying mechanism.
The technical root cause of this vulnerability lies in the inconsistent handling of property key validation and access operations within the JavaScript sandbox. Specifically, while the validation process uses hasOwnProperty(key) to check for valid keys, the actual property access employs a different key mechanism that does not enforce string type constraints. This discrepancy creates a coercion attack surface where malicious objects can be crafted to produce different string representations depending on the context in which they are evaluated. The vulnerability is categorized under CWE-256 as a "Sandbox Escape" and aligns with ATT&CK technique T1055.011 for "Process Injection" through sandbox bypass mechanisms.
The operational impact of this vulnerability is severe as it allows attackers to bypass the sandbox restrictions and potentially execute arbitrary code outside the intended secure boundaries. An attacker can construct malicious objects that, when passed through the sanitization process, appear valid due to their string representation during hasOwnProperty validation. However, when these same objects are used for actual property access, they coerce to different string values that may grant access to restricted properties or methods. This type of vulnerability enables privilege escalation within the sandboxed environment and can lead to full system compromise if the sandbox is used to execute untrusted code with elevated privileges.
Mitigation strategies for CVE-2026-25641 require immediate deployment of the patched version 0.8.29 of SandboxJS, which resolves the key validation and access inconsistency. Organizations should also implement comprehensive code review processes to identify similar patterns in other sandboxing implementations and ensure proper type enforcement throughout validation routines. Security teams should monitor for potential exploitation attempts through behavioral analysis of sandboxed code execution and implement additional runtime protections such as strict mode enforcement and property descriptor validation. The fix addresses the core issue by ensuring consistent key handling between validation and access phases, preventing the coercion attack vectors that enabled the sandbox escape.