Root-level sandbox escape in Cohere AI Terrarium via JavaScript prototype chain traversal
Summary
Hide ▲
Show ▼
A critical sandbox escape vulnerability (CVE-2026-5752, CVSS 9.3) in Cohere AI’s Terrarium Python sandbox allows arbitrary code execution with root privileges on the host process through JavaScript prototype chain traversal in the Pyodide WebAssembly environment. Terrarium, a Docker-deployed sandbox for untrusted Python code, enables users to submit or generate code via LLMs and runs on Pyodide, supporting standard Python packages. Successful exploitation breaks out of the sandbox to execute system commands as root within the container, access sensitive files such as /etc/passwd, interact with other services on the container network, and potentially escape the container to escalate privileges. The flaw requires local access but no user interaction or special privileges, and no patch is expected as the project is no longer maintained.
Timeline
-
22.04.2026 10:16 1 articles · 2h ago
CVE-2026-5752 disclosed: Terrarium sandbox escape via Pyodide prototype chain traversal enables root code execution
CVE-2026-5752 is publicly disclosed as a critical sandbox escape vulnerability in Cohere AI’s Terrarium Python sandbox. The flaw resides in the Pyodide WebAssembly layer and allows JavaScript prototype chain traversal to execute arbitrary code with root privileges on the host Node.js process. Successful exploitation breaks the sandbox, enabling command execution as root within the container, unauthorized file access, network lateral movement, and potential container escape. No patch is expected due to the project’s status as unmaintained.
Show sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16
Information Snippets
-
Vulnerability tracked as CVE-2026-5752 with CVSS score 9.3 in Terrarium, a Python sandbox developed by Cohere AI and deployed as a Docker container.
First reported: 22.04.2026 10:161 source, 1 articleShow sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16
-
Root cause is JavaScript prototype chain traversal in the Pyodide WebAssembly environment enabling elevated privilege execution on the host Node.js process.
First reported: 22.04.2026 10:161 source, 1 articleShow sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16
-
Successful exploitation allows sandbox escape, arbitrary system command execution as root, unauthorized access to sensitive files (e.g., /etc/passwd), lateral movement within container network, and potential container escape with further privilege escalation.
First reported: 22.04.2026 10:161 source, 1 articleShow sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16
-
Exploitation requires local access to the system but no user interaction or special privileges; project is no longer actively maintained, so no patch is expected.
First reported: 22.04.2026 10:161 source, 1 articleShow sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16
-
Discovered and reported by security researcher Jeremy Brown; CERT/CC provides mitigations including disabling code submission, network segmentation, WAF deployment, and monitoring container activity.
First reported: 22.04.2026 10:161 source, 1 articleShow sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16