What is CVE-2025-34146?

CVE-2025-34146 is a vulnerability in Nyariv Sandboxjs, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). Published 2025-07-31.

Is CVE-2025-34146 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Prototype Pollution in Nyariv Sandboxjs

CVE-2025-34146

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition…

Vulnerability class: Prototype Pollution

EPSS: 0.015 (81.2th percentile) — read the EPSS interpretation.

Affected products

Nyariv Sandboxjs — versions 0

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

gist.github.com/Hagrid29/9df27829a491080f923c4f6b8518d7e3 (issue-tracking, exploit)
github.com/nyariv/SandboxJS/issues/31 (patch, vendor-advisory)
www.npmjs.com/package/@nyariv/sandboxjs (product)
www.vulncheck.com/advisories/nyariv-sandboxjs-prototype-pollution-sandbox-escap… (third-party-advisory)

Frequently asked questions

What is CVE-2025-34146?: CVE-2025-34146 is a vulnerability in Nyariv Sandboxjs, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). Published 2025-07-31.
Is CVE-2025-34146 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.