Overview
Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host Node.js process. This vulnerability is caused by a JavaScript prototype chain traversal in the Pyodide WebAssembly environment.
Description
The root cause of the vulnerability lies in the configuration of jsglobals objects in service.ts. Specifically, the mock document object is created using a standard JavaScript object literal, which inherits properties from Object.prototype. This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns globalThis, and from there access Node.js internals, including require(). As a result, an attacker can escape the sandbox and execute arbitrary system commands as root within the container.
CVE-2026-5752 Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.
Impact
Applications that use Terrarium for sandboxed code execution may be compromised, allowing an attacker to:
- Execute arbitrary commands as root inside the container
- Access and modify sensitive files, including
/etc/passwdand environment variables - Reach other services on the container's network, including databases and internal APIs
- Potentially escape the container and escalate privileges further
Mitigation
The vendor has published a patch as v1.0.1 of cohere-terrarium and this version has been identified as the final release. If you are unable to patch your implementation, several mitigation strategies can be employed to reduce the risk of exploitation. Users should consider implementing the following measures if upgrading is not an option:
- Disable unnecessary features: Disable any features that allow users to submit code to the sandbox, if possible.
- Implement network segmentation: Segment the network to limit the attack surface and prevent lateral movement.
- Use a Web Application Firewall (WAF): Deploy a WAF to detect and block suspicious traffic, including attempts to exploit the vulnerability.
- Monitor container activity: Regularly monitor container activity for signs of suspicious behavior.
- Implement access controls: Limit access to the container and its resources to authorized personnel only.
- Use a secure container orchestration tool: Utilize a secure container orchestration tool to manage and secure containers.
- Regularly update and patch dependencies: Ensure that dependencies are up-to-date and patched.
Acknowledgments
The vulnerability was discovered by Jeremy Brown, who used AI-assisted vulnerability research to identify the issue. This document was written by Timur Snoke with assistance from AI.
Vendor Information
Other Information
| CVE IDs: | CVE-2026-5752 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-04-21 |
| Date First Published: | 2026-04-21 |
| Date Last Updated: | 2026-04-24 15:41 UTC |
| Document Revision: | 3 |