CVE-2026-25520: @nyariv/sandboxjs has a Sandbox Escape issue

February 5, 2026 (updated February 6, 2026)

The return values of functions aren’t wrapped. Object.values/Object.entries can be used to get an Array containing the host’s Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox.

References

github.com/advisories/GHSA-58jh-xv4v-pcx4
github.com/nyariv/SandboxJS
github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4
nvd.nist.gov/vuln/detail/CVE-2026-25520

Code Behaviors & Features

Detect and mitigate CVE-2026-25520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →