VDB

GCVE-110-CERTCC-2026-414811

GCVE-110-CERTCC-2026-414811
Advisory Published
Vulnetix · Advisory published April 21, 2026
### Overview Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host `Node.js` process. This vulnerability is caused by a JavaScript prototype chain traversal in the Pyodide WebAssembly environment. ### Description The root cause of the vulnerability lies in the configuration of `jsglobals` objects in `service.ts`. Specifically, the mock document object is created using a standard JavaScript object literal, which inherits properties from `Object.prototype`. This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns `globalThis`, and from there access `Node.js` internals, including `require()`. As a result, an attacker can escape the sandbox and execute arbitrary system commands as root within the container. **CVE-2026-5752** Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. ### Impact Applications that use Terrarium for sandboxed code execution may be compromised, allowing an attacker to: * Execute arbitrary commands as root inside the container * Access and modify sensitive files, including `/etc/passwd` and environment variables * Reach other services on the container's network, including databases and internal APIs * Potentially escape the container and escalate privileges further ### Mitigation Unfortunately, we were unable to coordinate with the vendor to obtain a patch or fix for this vulnerability. In the meantime, several mitigation strategies can be employed to reduce the risk of exploitation. Users should consider implementing the following measures: * **Disable unnecessary features**: Disable any features that allow users to submit code to the sandbox, if possible. * **Implement network segmentation**: Segment the network to limit the attack surface and prevent lateral movement. * **Use a Web Application Firewall (WAF)**: Deploy a WAF to detect and block suspicious traffic, including attempts to exploit the vulnerability. * **Monitor container activity**: Regularly monitor container activity for signs of suspicious behavior. * **Implement access controls**: Limit access to the container and its resources to authorized personnel only. * **Use a secure container orchestration tool:** Utilize a secure container orchestration tool to manage and secure containers. * **Regularly update and patch dependencies**: Ensure that dependencies are up-to-date and patched. ### Acknowledgments The vulnerability was discovered by Jeremy Brown, who used AI-assisted vulnerability research to identify the issue. This document was written by Timur Snoke with assistance from AI.

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›