"Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal, according to a description of the flaw in CVE.org."
"Successful exploitation of the vulnerability can allow an attacker to break out of the confines of the sandbox and execute arbitrary system commands as root within the container."
"The root cause relates to a JavaScript prototype chain traversal in the Pyodide WebAssembly environment that enables code execution with elevated privileges on the host Node.js process."
"Given that the project is no longer actively maintained, the vulnerability is unlikely to be patched."
A security vulnerability in the Terrarium Python sandbox, tracked as CVE-2026-5752, allows arbitrary code execution with root privileges. This flaw arises from a JavaScript prototype chain traversal in the Pyodide environment. Exploitation can lead to unauthorized access to sensitive files and potential privilege escalation. The vulnerability requires local system access but no user interaction. The project, developed by Cohere AI, is no longer maintained, making a patch unlikely. CERT/CC recommends disabling user code submission features as a mitigation strategy.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]