A critical vulnerability has been disclosed in the Python-based sandbox Terrarium, developed by Cohere AI, tracked as CVE-2026-5752 and rated 9.3 on the CVSS scale, which could lead to arbitrary code execution with root privileges on a host process.
According to CERT/CC, the root cause involves a JavaScript prototype chain traversal in the Pyodide WebAssembly environment that enables code execution with elevated privileges inside the container, allowing sandbox escapes and potential access to sensitive files such as /etc/passwd. The Terrarium project is open source, runs as a Docker-deployed container, and is used to execute untrusted code written by users or generated with an LLM; it runs on Pyodide and has been forked 56 times and starred 312 times.
Security researchers note that exploitation requires local access and does not require user interaction or elevated privileges, and the project is no longer actively maintained, making patching unlikely.
Mitigations recommended by CERT/CC include disabling code submission to the sandbox where possible, network segmentation, deploying a Web Application Firewall, monitoring container activity, limiting access, and using secure container orchestration; SentinelOne cautioned that prototype pollution via traversal bypasses the sandbox’s intended boundaries.