CVE Details
Basic Information
| Title | nyariv sandboxjs 0.8.23 Prototype Pollution Sandbox Escape DoS |
|---|---|
| Type | cve |
| Published | 2025-07-31T14:59:35.716Z |
| Modified | 2025-07-31T14:59:35.716Z |
Product Information
| Vendor | nyariv |
|---|---|
| Product | sandboxjs |
| Version | * |
CVSS Information
| Base Score | 7.0 (HIGH) |
|---|---|
| Attack Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
AI Analysis
| AI Description | A prototype pollution vulnerability in @nyariv/sandboxjs versions <=0.8.23 allows attackers to inject properties into Object.prototype, potentially causing a denial-of-service or escaping the sandbox environment. This is due to insufficient prototype access checks in the sandbox's executor logic. |
|---|---|
| AI Severity | High |
| AI Vendor | nyariv |
| AI Product | sandboxjs |
| AI Version | 0.8.23 |
Affected Products
- nyariv sandboxjs *
Additional Information
| CWE List | CWE-1321 |
|---|---|
| Source | VulnCheck |
Description
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandboxβs executor logic, particularly in the handling of JavaScript function objects returned.