CVE-2025-34146: 
JavaScript vulnerability analysis and mitigation

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. The vulnerability was discovered on April 12, 2025, and affects the sandbox's executor logic, particularly in the handling of JavaScript function objects. This security issue has been assigned CVE-2025-34146 (VulnCheck Advisory).

The vulnerability stems from insufficient prototype access checks in the sandbox's executor logic. The issue occurs in dist/node/executor.js#L226 where the sandbox fails to properly validate prototype access for function objects. The exploit leverages the fact that when checking proto of string.sub, it enters a branch that doesn't catch SandboxError since the type is a function and hasOwnProperty of proto returns false. Similar behavior occurs with (()=>"").proto access. The vulnerability has been assigned a CVSS v4.0 score of 7.0 (High) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N (VulnCheck Advisory, GitHub Issue).

The vulnerability can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. This allows attackers to bypass the security mechanisms meant to isolate untrusted code execution (VulnCheck Advisory).

Users should upgrade to versions newer than 0.8.23 of @nyariv/sandboxjs to address this vulnerability. The issue has been reported to the project maintainers through GitHub issue #31 (GitHub Issue, NPM Package).