SCA: security update for @nyariv/sandboxjs (GHSA-ww7g-4gwx-m7wj)

critical Tenable Self-Hosted Container Security Plugin ID 437660

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows
sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array
literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed
into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from
within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in
applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This
vulnerability is fixed in 0.8.31. (CVE-2026-25881)

See Also

https://github.com/advisories/GHSA-ww7g-4gwx-m7wj

Plugin Details

Severity: Critical

ID: 437660

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 2/10/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.33

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25881

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/10/2026

Vulnerability Publication Date: 2/9/2026

Reference Information

CVE: CVE-2026-25881