CVE-2025-34146: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability was discovered in @nyariv/sandboxjs versions <= 0.8.23. The vulnerability (CVE-2025-34146) allows attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. The issue was disclosed on July 31, 2025, affecting the JavaScript-based sandbox library (NVD, VulnCheck).

The vulnerability stems from insufficient prototype access checks in the sandbox's executor logic, particularly in the handling of JavaScript function objects returned. The root cause is identified in the improper handling of property access for proto within the sandbox's executor logic, specifically in the anonymous function registered to handle property access (LispType.Prop) within the addOps function in src/executor.ts. The vulnerability has been assigned CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and received a CVSS v4.0 base score of 7.0 (High) (GitHub Issue, NVD).

The vulnerability can result in a denial-of-service (DoS) condition or, under certain conditions, allow attackers to escape the sandboxed environment intended to restrict code execution. This could potentially compromise the security boundaries established by the sandbox, leading to unauthorized code execution (NVD).

The vulnerability has been patched in version 0.8.24 of @nyariv/sandboxjs. The fix introduces additional checks for prototype access, particularly for the proto property, ensuring that any attempt to access or modify the prototype chain is properly validated against the configured whitelist (GitHub Issue).