A important security vulnerability has been disclosed in a Python-based sandbox referred to as Terrarium that would end in arbitrary code execution.
The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system.
“Sandbox escape vulnerability in Terrarium permits arbitrary code execution with root privileges on a bunch course of through JavaScript prototype chain traversal,” based on an outline of the flaw in CVE.org.
Developed by Cohere AI as an open-source mission, Terrarium is a Python sandbox that is used as a Docker-deployed container for operating untrusted code written by customers or generated with help from a big language mannequin (LLM).
Notably, Terrarium runs on Pyodide, a Python distribution for the browser and Node.js, enabling it to help commonplace Python packages. The mission has been forked 56 instances and starred 312 instances.
In line with the CERT Coordination Middle (CERT/CC), the foundation trigger pertains to a JavaScript prototype chain traversal within the Pyodide WebAssembly atmosphere that permits code execution with elevated privileges on the host Node.js course of.
Profitable exploitation of the vulnerability can permit an attacker to interrupt out of the confines of the sandbox and execute arbitrary system instructions as root inside the container.
As well as, it may well allow unauthorized entry to delicate recordsdata, similar to “/and so forth/passwd,” attain different providers on the container’s community, and even probably escape the container and escalate privileges additional.
It bears noting that the assault requires native entry to the system however doesn’t require any person interplay or particular privileges to use.
Safety researcher Jeremy Brown has been credited with discovering and reporting the flaw. On condition that the mission is not actively maintained, the vulnerability is unlikely to be patched.
As mitigations, CERT/CC is advising customers to take the next steps –
- Disable options that permit customers to submit code to the sandbox, if doable.
- Phase the community to restrict the assault floor and forestall lateral motion.
- Deploy a Internet Utility Firewall to detect and block suspicious site visitors, together with makes an attempt to use the vulnerability.
- Monitor container exercise for indicators of suspicious habits.
- Restrict entry to the container and its sources to licensed personnel solely.
- Use a safe container orchestration software to handle and safe containers.
- Make sure that dependencies are up-to-date and patched.
“The sandbox fails to adequately stop entry to guardian or international object prototypes, permitting sandboxed code to reference and manipulate objects within the host atmosphere,” SentinelOne stated. “This prototype air pollution or traversal approach bypasses the meant security boundaries of the sandbox.”
