CVE-2026-25641: The Chameleon Key: Breaking SandboxJS with a Shape-Shifting Object

The Chameleon Key: Breaking SandboxJS with a Shape-Shifting Object

Vulnerability ID: CVE-2026-25641
CVSS Score: 10.0
Published: 2026-02-06

A critical Time-of-Check Time-of-Use (TOCTOU) vulnerability in SandboxJS allows attackers to bypass security restrictions and achieve Remote Code Execution (RCE). By leveraging JavaScript's dynamic type coercion, a malicious object can masquerade as a benign property key during validation checks, only to transform into a forbidden key like 'constructor' during execution.

TL;DR

SandboxJS failed to coerce property keys to primitives before validation. Attackers can pass a stateful object as a key that returns a safe string when checked, but 'constructor' when accessed, granting access to the host environment (RCE). CVSS 10.0.

---

⚠️ Exploit Status: POC

Technical Details

• CVE ID: CVE-2026-25641
• CVSS: 10.0 (Critical)
• CWE: CWE-367 (TOCTOU)
• Attack Vector: Network
• Impact: Remote Code Execution (RCE)
• Patch Commit: 67cb186c41c78c51464f70405504e8ef0a6e43c3

Affected Systems

• SandboxJS (@nyariv/sandboxjs) < 0.8.29
• @nyariv/sandboxjs: < 0.8.29 (Fixed in: 0.8.29)

Code Analysis

Commit: 67cb186

Fixed sandbox escape via TOCTOU on property access

if (!isPropertyKey(b)) { b = `${b}`; }

Exploit Details

• GitHub Security Advisory: Original advisory containing the TOCTOU concept

Mitigation Strategies

• Explicit Type Coercion
• Library Updates
• Architecture Review

Remediation Steps:

1. Update @nyariv/sandboxjs to version 0.8.29 or later.
2. Audit any custom executor code to ensure property keys are coerced to strings before validation.
3. Review usage of sandboxed code to ensure it runs with the least necessary privileges (e.g., restricted network/file access).

References

• GHSA-7x3h-rm86-3342
• CWE-367: TOCTOU

---

Read the full report for CVE-2026-25641 on our website for more details including interactive diagrams and full exploit analysis.