Overview Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host Node.js process. This vulnerability is caused by a JavaScript prototype chain traversal in the Pyodide WebAssembly environment. Description The root cause of the vulnerability lies in the configuration of jsglobals objects in service.ts . Specifically, the mock document object is created using a standard JavaScript object literal, which inherits properties from Object.prototype . This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns globalThis , and from there access Node.js internals, including require() . As a result, an attacker can escape the sandbox and execute arbitrary system commands as root within the container. CVE-2026-5752 Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. Impact Applications that use Terrarium for sandboxed code execution may be compromised, allowing an attacker to: Execute arbitrary commands as root inside the container Access and modify sensitive files, including /etc/passwd and environment variables Reach other services on the container's network, including databases and internal APIs Potentially escape the container and escalate privileges further Mitigation The vendor has published a patch as v1.0.1 of cohere-terrarium and this version has been identified as the final release. If you are unable to patch your implementation, several mitigation strategies can be employed to reduce the risk of exploitation. Users should consider implementing the following measures if upgrading is not an option: Disable unnecessary features : Disable any features that allow users to submit code to the sandbox, if possible. Implement network segmentation : Segment the network to limit the attack surface and prevent lateral movement. Use a Web Application Firewall (WAF) : Deploy a WAF to detect and block suspicious traffic, including attempts to exploit the vulnerability. Monitor container activity : Regularly monitor container activity for signs of suspicious behavior. Implement access controls : Limit access to the container and its resources to authorized personnel only. Use a secure container orchestration tool: Utilize a secure container orchestration tool to manage and secure containers. Regularly update and patch dependencies : Ensure that dependencies are up-to-date and patched. Acknowledgments The vulnerability was discovered by Jeremy Brown, who used AI-assisted vulnerability research to identify the issue. This document was written by Timur Snoke with assistance from AI. Vendor Information One or more vendors are listed for this advisory. Please reference the full report for more information. References https://github.com/cohere-ai/cohere-terrarium https://github.com/cohere-ai/cohere-terrarium/releases/tag/v1.0.1 https://github.com/cohere-ai/cohere-terrarium/blob/v1.0.1/CHANGELOG.md https://github.com/cohere-ai/cohere-terrarium/security/advisories/GHSA-3wxm-55r9-54xv Other Information CVE IDs: CVE-2026-5752 Date Public: 2026-04-21 Date First Published: 2026-04-21 Date Last Updated: 2026-04-24 15:41 UTC Document Revision: 3 About vulnerability notes Contact us about this vulnerability Provide a vendor statement