{"id":671,"date":"2026-04-22T09:51:01","date_gmt":"2026-04-22T09:51:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=671"},"modified":"2026-04-22T09:51:01","modified_gmt":"2026-04-22T09:51:01","slug":"cohere-ai-terrarium-sandbox-flaw-enables-root-code-execution-container-escape","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=671","title":{"rendered":"Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 22, 2026<\/span><\/span>Vulnerability \/ Container Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium<\/a> that could result in arbitrary code execution.<\/p>\n

The vulnerability, tracked as CVE-2026-5752<\/strong>, is rated 9.3 on the CVSS scoring system.<\/p>\n

\u00abSandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal,\u00bb according to a description<\/a> of the flaw in CVE.org.<\/p>\n

Developed by Cohere AI as an open-source project, Terrarium is a Python sandbox that’s used as a Docker-deployed container for running untrusted code written by users or generated with assistance from a large language model (LLM).<\/p>\n

Notably, Terrarium runs on Pyodide, a Python distribution for the browser and Node.js, enabling it to support standard Python packages.\u00a0 The project has been forked 56 times and starred 312 times.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

According to the CERT Coordination Center (CERT\/CC), the root cause relates<\/a> to a JavaScript prototype chain traversal in the Pyodide WebAssembly environment that enables code execution with elevated privileges on the host Node.js process.<\/p>\n

Successful exploitation of the vulnerability can allow an attacker to break out of the confines of the sandbox and execute arbitrary system commands as root within the container.<\/p>\n

In addition, it can permit unauthorized access to sensitive files, such as \u00ab\/etc\/passwd,\u00bb reach other services on the container’s network, and even possibly escape the container and escalate privileges further.<\/p>\n

It bears noting that the attack requires local access to the system but does not require any user interaction or special privileges to exploit.<\/p>\n

Security researcher Jeremy Brown has been credited with discovering and reporting the flaw. Given that the project is no longer actively maintained, the vulnerability is unlikely to be patched.<\/p>\n

As mitigations, CERT\/CC is advising users to take the following steps –<\/p>\n