A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could allow arbitrary code execution.
This vulnerability is tracked as CVE-2026-5752 and is rated 9.3 on the CVSS scoring system.
“A sandbox escape vulnerability in Terrarium could allow arbitrary code execution with root privileges on the host process via JavaScript prototype chain traversal,” according to the flaw description on CVE.org.
Developed as an open source project by Cohere AI, Terrarium is a Python sandbox used as a Docker-deployed container for running untrusted code written by users or generated with the aid of large-scale language models (LLMs).
In particular, Terrarium will run on Pyodide, a Python distribution for browsers and Node.js, and will be able to support standard Python packages. This project has been forked 56 times and starred 312 times.
According to the CERT Coordination Center (CERT/CC), the root cause is related to JavaScript prototype chain traversal in the Pyodide WebAssembly environment that allows code execution with elevated privileges on the host Node.js process.
Successful exploitation of this vulnerability could allow an attacker to breach the sandbox boundary and execute arbitrary system commands as root within the container.
Additionally, it may allow unauthorized access to sensitive files such as ‘/etc/passwd’, reach other services on the container’s network, or even escape the container for further privilege escalation.
Note that this attack requires local access to the system, but does not require user interaction or special privileges to be exploited.
Security researcher Jeremy Brown is credited with discovering and reporting the flaw. Given that the project is not actively maintained, it is unlikely that this vulnerability will be fixed.
As a mitigation measure, CERT/CC advises users to take the following steps:
If possible, disable features that allow users to submit code to the sandbox. Segment your network to limit your attack surface and prevent lateral movement. Deploy a web application firewall to detect and block suspicious traffic, including attempts to exploit vulnerabilities. Monitor container activity for signs of suspicious behavior. Restrict access to containers and their resources to authorized personnel only. Manage and secure your containers with secure container orchestration tools. Make sure your dependencies are up to date and patched.
SentinelOne stated that “Sandboxing does not properly prevent access to parent objects or prototypes of global objects, allowing sandboxed code to reference and manipulate objects within the host environment.” “This prototype contamination or traversal technique circumvents the intended security perimeter of the sandbox.”
Source link
