A critical sandbox escape vulnerability has been disclosed in Terrarium, an open-source Python sandbox developed by Cohere AI. Tracked as CVE-2026-5752 with a CVSS score of 9.3, the flaw allows arbitrary code execution with root privileges on the host Node.js process via JavaScript prototype chain traversal. 1Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape 2VU#414811 - Terrarium contains a vulnerability that allows arbitrary code execution with root privileges
Because the project is no longer actively maintained, CERT/CC has confirmed that no patch is expected. Organizations still running Terrarium are left with mitigation-only options.
What Terrarium Does - and Why It Matters
Terrarium is a Docker-deployed container designed to execute untrusted Python code - whether written by end users or generated by a large language model. It runs on Pyodide, a Python distribution compiled to WebAssembly for browser and Node.js environments, enabling standard Python packages inside a sandboxed context. 1Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
The project occupies a niche that has grown rapidly with the rise of LLM-powered applications: safely running AI-generated code. Terrarium has been forked 56 times and starred 312 times on GitHub, a modest footprint, but its architecture is representative of many similar sandbox setups deployed by teams integrating code-execution capabilities into AI workflows. 1Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
How the Exploit Works
The root cause is a failure to prevent sandboxed code from accessing parent or global object prototypes in the JavaScript runtime. Terrarium's Pyodide environment exposes mock DOM objects - document, ImageData, and elements returned by document.getElementById / createElement / createTextNode. 3Sandbox escape via JavaScript prototype chain traversal in cohere-terrarium (GitHub Advisory)
An attacker can traverse the prototype chain of these mock objects using __proto__ and .constructor to reach the host Function constructor. From there, arbitrary JavaScript executes in the host Node.js process - outside the sandbox - with root privileges. 2VU#414811 - Terrarium contains a vulnerability that allows arbitrary code execution with root privileges 3Sandbox escape via JavaScript prototype chain traversal in cohere-terrarium (GitHub Advisory)
As SentinelOne noted, "the sandbox fails to adequately prevent access to parent or global object prototypes, allowing sandboxed code to reference and manipulate objects in the host environment." 1Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
Impact and Attack Requirements
Successful exploitation enables an attacker to:
- Execute arbitrary system commands as root within the container
- Read sensitive files such as
/etc/passwd - Reach other services on the container's network
- Potentially escape the container and escalate further
The attack requires local access to the system but needs no user interaction and no special privileges. 1Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape 2VU#414811 - Terrarium contains a vulnerability that allows arbitrary code execution with root privileges In deployments where Terrarium is exposed to user-submitted or LLM-generated code - its intended use case - any user who can submit code to the sandbox meets the access requirement.
Security researcher Jeremy Brown is credited with discovery and disclosure. 1Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
Recommended Mitigations
With no patch forthcoming, CERT/CC recommends the following defensive steps: 2VU#414811 - Terrarium contains a vulnerability that allows arbitrary code execution with root privileges
Broader Implications for AI Code Sandboxing
This vulnerability highlights a structural risk in the AI tooling ecosystem. As LLM applications increasingly require sandboxed code execution - for tool use, code interpreters, and agent workflows - the security of the sandbox boundary becomes the single most critical trust assumption in the architecture. Terrarium's failure is a prototype traversal, a well-understood class of JavaScript attack. That it existed in a sandbox specifically designed to contain untrusted code underscores how subtle these boundary violations can be.
The project's abandoned status compounds the risk: open-source AI infrastructure components can lose maintainer support with little notice, leaving downstream users with unpatched critical vulnerabilities. Teams building on open-source sandboxes should evaluate maintainer activity and have contingency plans for exactly this scenario.
