software

CVE-2026-25641: The Chameleon Key: Breaking SandboxJS with a Shape-Shifting Object

Published: (February 7, 2026 at 01:40 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Vulnerability Overview

  • CVE ID: CVE-2026-25641
  • CVSS Score: 10.0 (Critical)
  • Published: 2026-02-06
  • CWE: CWE-367 (TOCTOU)
  • Attack Vector: Network
  • Impact: Remote Code Execution (RCE)

A critical Time‑of‑Check Time‑of‑Use (TOCTOU) vulnerability exists in SandboxJS (versions < 0.8.29). The flaw allows an attacker to bypass property‑key validation by supplying a stateful object that coerces to a safe string during the check but resolves to a forbidden key (e.g., constructor) during execution, granting access to the host environment.

Technical Details

SandboxJS failed to coerce property keys to primitives before performing validation. An attacker can pass an object as a key:

// Malicious key object
const maliciousKey = {
  toString() { return 'safeKey'; },          // Returns a benign string during validation
  valueOf() { return 'constructor'; }       // Resolves to a dangerous key when accessed
};

During the validation phase, toString() is invoked, making the key appear harmless. Later, when the key is actually used to access a property, valueOf() (or the default object‑to‑primitive conversion) yields "constructor", allowing the attacker to reach the constructor property and execute arbitrary code.

Exploit Flow

  1. Check Phase: SandboxJS calls isPropertyKey(b). The malicious object passes because its toString() returns a safe string.
  2. Use Phase: The same object is later used as a property key. JavaScript’s internal coercion now yields "constructor".
  3. Result: The attacker obtains a reference to the host’s constructor, enabling Remote Code Execution.

Patch

The issue was fixed in SandboxJS version 0.8.29 (commit 67cb186c41c78c51464f70405504e8ef0a6e43c3). The fix ensures that property keys are explicitly coerced to strings before validation:

// Fixed code (JavaScript)
if (!isPropertyKey(b)) {
  b = `${b}`;   // Explicitly coerce to a primitive string
}

Updated Versions

  • @nyariv/sandboxjs ≥ 0.8.29 (fixed)

Remediation Steps

  1. Upgrade the library 
    npm install @nyariv/sandboxjs@^0.8.29
  2. Audit custom executor code to confirm that all property keys are coerced to strings before any validation or access.
  3. Apply the principle of least privilege to sandboxed code: restrict network and file system access to only what is necessary.
  4. Monitor for related advisories (e.g., GHSA‑7x3h‑rm86‑3342) and apply future patches promptly.

References

  • GitHub Security Advisory: Original advisory describing the TOCTOU concept.
  • Patch Commit: 67cb186c41c78c51464f70405504e8ef0a6e43c3
  • CWE‑367: TOCTOU

For a full report, including interactive diagrams and exploit analysis, refer to the official CVE‑2026‑25641 page on the vendor’s website.

0 views
#CVE-2026-25641 #SandboxJS #JavaScript #security vulnerability #TOCTOU
View source
Share:
Back to Blog

Related posts

Read more »

Hello World

Hello I am a new web developer, I am looking for new ways to improve as a web developer. If we have any problems connecting what we've learned please contact me...

Hoisting in JavaScript

Understanding Execution Context JavaScript does not execute code strictly top‑to‑bottom. Before any code runs, the engine creates an execution context where it...