CVE-2026-25641: @nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses
(updated )
A sandbox escape vulnerabilities due to a mismatch between the key on which the validation is performed and the key used for accessing properties.
References
- github.com/advisories/GHSA-7x3h-rm86-3342
- github.com/nyariv/SandboxJS
- github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts
- github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
- github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342
- nvd.nist.gov/vuln/detail/CVE-2026-25641
Code Behaviors & Features
Detect and mitigate CVE-2026-25641 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →