Skip to main content

CISA issues guidance on Terrarium CVE-2026-5752 sandbox escape

April 21, 2026

Terrarium contains a vulnerability that enables arbitrary code execution with root privileges on the host Node.js process. The issue is tied to a JavaScript prototype chain traversal in the Pyodide WebAssembly environment.

The root cause is the configuration of jsglobals objects in service.ts. In that file, the mock document object is built with a standard JavaScript object literal that inherits properties from Object.prototype. This inheritance chain allows sandbox code to traverse to the function constructor, create a function that returns globalThis, and then access Node.js internals, including require(). The vulnerability is tracked as CVE-2026-5752.

Applications that use Terrarium for sandboxed code execution may be compromised. An attacker could execute arbitrary commands as root inside the container, access and modify sensitive files including /etc/passwd and environment variables, reach other services on the container’s network including databases and internal APIs, and potentially escape the container and escalate privileges further.

Coordination with the vendor to obtain a patch or fix was not completed. Until a fix is available, the guidance states that mitigations can include disabling unnecessary features that allow users to submit code to the sandbox, implementing network segmentation to limit attack surface and prevent lateral movement, using a Web Application Firewall to detect and block suspicious traffic including attempts to exploit the vulnerability, monitoring container activity for signs of suspicious behavior, implementing access controls to limit access to the container and its resources to authorized personnel only, using a secure container orchestration tool to manage and secure containers, and regularly updating and patching dependencies.

The advisory’s mitigation guidance is focused on reducing exposure and limiting how sandboxed code can interact with the surrounding environment through feature controls, network controls, inspection and monitoring, access controls, container management, and dependency patching, while noting that no coordinated vendor patch or fix was obtained at the time of publication.