A critical flaw in Cohere AI’s Terrarium Python sandbox could let attackers execute arbitrary code with root privileges in a host process, with the vulnerability rated 9.3 on the CVSS scale, according to a CVE entry and a CERT/CC advisory.
KEY FACTS
- Vulnerability CVE-2026-5752 is a sandbox escape flaw in Terrarium.
- Impact Successful exploitation can allow arbitrary system commands, file access and possible container escape.
- Root cause The issue stems from JavaScript prototype chain traversal in the Pyodide environment.
- Access The attack requires local access but no user interaction.
- Status The project is described as no longer actively maintained.
Terrarium is an open-source Python sandbox that runs in a Docker-deployed container and uses Pyodide to support standard Python packages. The project has been forked 56 times and starred 312 times.
CERT/CC said the flaw lets sandboxed code reach parent or global object prototypes and manipulate objects in the host environment. That can bypass the intended security boundaries of the sandbox.
According to the disclosure, an attacker who exploits the bug could break out of the sandbox, run commands as root within the container, access sensitive files such as /etc/passwd, and potentially reach other services on the container network.
The advisory recommended disabling user-submitted code where possible, segmenting networks, monitoring container activity, limiting access to authorized personnel, and keeping dependencies patched. It also noted that no patch is likely if the project remains unmaintained.
WHY IT MATTERS
Sandbox tools are meant to isolate untrusted code, so a breakout flaw can create direct risk for systems that process user input or AI-generated code. The issue also shows how container and browser runtime components can weaken isolation when prototype traversal reaches the host process.