Code Red: 4 Critical SandboxJS Flaws (CVSS 10.0) Allow Host Takeover – CVE-2026-25520, CVE-2026-25586, CVE-2026-25587, CVE-2026-25641

Estimated Reading Time: 8 minutes

Key Takeaways:

  • Four distinct vulnerabilities in SandboxJS have been assigned the maximum CVSS score of 10.0.
  • Exploitation allows attackers to escape the JavaScript sandbox and achieve full host system compromise.
  • Flaws involve failures in function wrapping, prototype manipulation, and Time-of-Check to Time-of-Use (TOCTOU) errors.
  • Organizations must immediately update to SandboxJS version 0.8.29 to mitigate these risks.

Vulnerability Overview and Impact

SandboxJS is a library utilized for the isolation and secure execution of JavaScript in environments where untrusted code must be processed without compromising the host system. It functions by creating a restricted environment, often referred to as a sandbox, which intercepts calls to sensitive APIs and prevents access to the global scope or the host’s underlying resources.

Recently, a series of critical vulnerabilities were identified in this library that fundamentally undermine its isolation capabilities. Security researchers identified four distinct flaws, collectively referred to as Code Red: 4 Critical SandboxJS Flaws (CVSS 10.0) Allow Host Takeover, which enable an attacker to escape the sandbox and execute arbitrary code on the host.

These vulnerabilities are tracked as CVE-2026-25520, CVE-2026-25586, CVE-2026-25587, and CVE-2026-25641. Each vulnerability has been assigned a CVSS score of 10.0, the maximum possible rating, reflecting the severity of the threat and the ease with which host takeover can occur. These flaws affect all versions of SandboxJS up to and including 0.8.28.

Analysis of CVE-2026-25520: Function Return Value Wrapping Failure

The first critical flaw, CVE-2026-25520, centers on how the library handles values returned by functions executed within the sandboxed environment. In a secure sandbox architecture, any object or function that crosses the boundary between the sandboxed code and the host environment must be “wrapped.” This wrapping process ensures that the sandboxed code only interacts with a proxy or a sanitized version of the object, preventing it from accessing properties that could lead back to the host’s global context.

Research findings indicate that in SandboxJS versions 0.8.28 and earlier, return values of certain functions are not properly wrapped. This omission creates a direct path to the host’s Function constructor. In JavaScript, the Function constructor can be used to create new functions from strings of code, and these functions execute in the global scope rather than the local scope where they were created.

An attacker can exploit this by using standard JavaScript methods such as Object.values() or Object.entries(). If the object being queried is part of the host environment and the return values of these methods are not wrapped by the sandbox, the attacker can retrieve a reference to a host-level function. By accessing the .constructor property of such a function, the attacker gains access to the host’s Function constructor. Executing code through this constructor allows for arbitrary code execution outside the sandbox constraints.

Analysis of CVE-2026-25587: Map Prototype Manipulation

The second vulnerability, CVE-2026-25587, targets the Map object, which is included in the library’s SAFE_PROTOTYPES list. The library uses this list to identify objects that are considered safe for the sandboxed code to interact with directly. However, a bug in the library’s implementation of the let keyword allows an attacker to manipulate these prototypes.

Because Map is considered safe, its prototype is accessible within the sandbox. An attacker can leverage the implementation flaw to overwrite the Map.prototype.has method. The sandbox relies on internal logic that frequently calls .has() to verify the existence of properties or to perform security checks.

By replacing the legitimate .has method with a malicious function, the attacker can alter the behavior of the sandbox’s internal security logic. This manipulation can be used to bypass property whitelists or redirect internal function calls, ultimately leading to a sandbox escape. This flaw demonstrates the risks associated with allowing any direct access to shared prototypes, even those labeled as safe.

Analysis of CVE-2026-25586: Host Prototype Pollution

CVE-2026-25586 involves a “Host Prototype Pollution” vulnerability. Prototype pollution occurs when an attacker can modify the attributes of base objects, such as Object.prototype. Because almost all objects in JavaScript inherit from Object.prototype, modifying it allows an attacker to inject properties into every object in the environment.

SandboxJS attempts to prevent this by using a whitelist of allowed properties and performing checks using the hasOwnProperty method. The vulnerability arises because SandboxJS allows an attacker to “shadow” or replace the hasOwnProperty method on a sandboxed object. When the sandbox’s internal security logic attempts to verify if a property is safe, it inadvertently executes the attacker’s version of the method.

By making the shadowed hasOwnProperty method return true for sensitive properties like __proto__ or constructor, the attacker can trick the sandbox into skipping its whitelist checks. Once these checks are bypassed, the attacker can access and modify the host’s prototypes. This provides a mechanism for host takeover by polluting the global environment and redirecting execution flows to malicious code.

Analysis of CVE-2026-25641: TOCTOU and Coercion Vulnerability

The final vulnerability, CVE-2026-25641, is a Time-of-Check to Time-of-Use (TOCTOU) bug. This class of vulnerability occurs when a system validates a resource (the “check”) but the resource changes before it is actually utilized (the “use”). In the context of SandboxJS, the library validates a property key at one point in its execution but uses that same key later.

The research shows that attackers can pass malicious objects as keys. In JavaScript, when an object is used in a context that requires a string, the engine “coerces” the object into a string by calling its toString() or valueOf() methods.

An attacker can define a custom object where the first call to toString() (during the security check) returns a safe, whitelisted string. However, the second call to toString() (when the property is actually accessed) returns a malicious payload or a reference to a sensitive property like constructor. Because the sandbox does not re-validate the key at the moment of use, the security check is effectively bypassed.

Supply Chain and Threat Landscape Context

The existence of four CVSS 10.0 vulnerabilities in a security-centric library like SandboxJS highlights a critical point of failure in software supply chains. Organizations often integrate third-party libraries to handle specialized tasks like sandboxing, assuming these tools provide a layer of defense. When the tool itself is flawed, it becomes a high-value target for actors who specialize in underground forum intelligence.

Techniques for sandbox escape are frequently discussed in restricted environments. Utilizing a dark web monitoring service allows organizations to identify when proof-of-concept (POC) exploits for CVEs like these are shared among threat actors. Furthermore, a strategy involving proactive monitoring can provide early warning signs of active exploitation in the wild.

To manage the risks associated with these vulnerabilities, a cyber threat intelligence platform is necessary to aggregate data from multiple sources. This includes tracking the release of patches and identifying which internal applications are dependent on the vulnerable library version. In many cases, these vulnerabilities are exploited to deliver ransomware. Accessing real-time ransomware intelligence and a live ransomware API can help security teams understand the specific tactics, techniques, and procedures (TTPs) that follow a host takeover event.

Breach Detection and Risk Mitigation

If an attacker successfully exploits one of these SandboxJS flaws, they gain code execution capabilities on the host. This necessitates effective breach detection mechanisms. Because the escape happens at the application level, standard network-level defenses may not immediately trigger alerts. Security teams must monitor for unusual process spawning, unauthorized file system access, or unexpected network connections originating from the application process that hosts the sandbox.

For businesses, supply-chain risk monitoring must involve a detailed inventory of all JavaScript dependencies. Automated tools can scan for vulnerable versions of SandboxJS and flag them for immediate remediation. Additionally, proactive monitoring can alert teams to the disclosure of sensitive company data or credentials that might have been harvested following a successful sandbox escape.

Practical Takeaways for Technical Teams

Technical teams must prioritize the following actions to address CVE-2026-25520, CVE-2026-25586, CVE-2026-25587, and CVE-2026-25641:

  • Immediate Version Audit: Identify all instances of SandboxJS within the environment. Any version equal to or lower than 0.8.28 is vulnerable.
  • Update to Version 0.8.29: The maintainers have released version 0.8.29, which includes a comprehensive patch. This is the primary remediation step.
  • Implement Strict Coercion Checks: If maintaining a custom fork, ensure that property keys are cast to primitives (strings) before the check occurs.
  • Seal Prototypes: In high-security environments, consider freezing or sealing prototypes of base objects to prevent prototype pollution.
  • Environment Isolation: Run the process hosting the sandbox with the minimum required privileges using OS-level isolation (cgroups or containers).

Practical Takeaways for Business Leaders

For non-technical stakeholders, the focus should be on risk management and governance:

  • Dependency Governance: Establish a policy for tracking and updating open-source libraries. Critical vulnerabilities in common libraries can have a disproportionate impact on business continuity.
  • Incident Response Readiness: Ensure that incident response plans account for application-level compromises resulting from third-party library flaws.
  • Vendor Risk Management: If using third-party software that relies on JavaScript sandboxing, query the vendor regarding their use of SandboxJS and their update timeline.

PurpleOps Expertise and Services

The complexity of these sandbox escape vulnerabilities requires a multi-layered security approach. PurpleOps provides the specialized tools and expertise needed to identify, monitor, and mitigate such risks.

Our PurpleOps platform integrates data from diverse sources to provide a unified view of the threat landscape. To address the risks of library exploitation, our dark web monitoring service scans underground marketplaces for potential exploit vectors.

For organizations concerned about the security of their software stack, PurpleOps offers comprehensive services. Our analysts simulate real-world attacks, including sandbox escapes and prototype pollution, to verify the efficacy of your security controls. Additionally, our supply-chain information security services help you manage the complex web of third-party dependencies.

In the event of a host takeover, our ransomware protection solutions ensure that the impact is minimized through rapid identification and containment. For more information on how PurpleOps can secure your environment, visit our PurpleOps Solutions page.

Frequently Asked Questions (FAQ)

What is SandboxJS and why is it used?
SandboxJS is a library designed to execute untrusted JavaScript code in an isolated environment. It is commonly used to run user-provided scripts or third-party plugins while preventing them from accessing the host system’s global scope or sensitive resources.

What is the impact of a CVSS 10.0 score in this context?
A CVSS 10.0 score indicates the highest possible severity. It means the vulnerabilities are easy to exploit, require no special privileges, and result in a total loss of confidentiality, integrity, and availability, leading to full host takeover.

How do I know if my application is vulnerable?
If your application uses SandboxJS version 0.8.28 or any earlier version, it is vulnerable to all four flaws (CVE-2026-25520, CVE-2026-25586, CVE-2026-25587, and CVE-2026-25641).

What is the recommended fix?
The recommended remediation is to immediately update the SandboxJS dependency to version 0.8.29, which contains the necessary security patches.

What is a TOCTOU vulnerability?
Time-of-Check to Time-of-Use (TOCTOU) is a race condition or logic error where a security check is performed on a resource, but the resource is changed before it is actually used, allowing an attacker to bypass the validation.