# Cohere's Terrarium Sandbox Exploited via JavaScript Prototype Chain Attack—Root Code Execution Confirmed


## The Threat


Cohere AI's Terrarium, a Python-based sandbox environment designed to safely execute untrusted code, contains a critical vulnerability that undermines its core security model. Tracked as CVE-2026-5752, the flaw allows attackers to escape the sandbox boundary entirely and execute arbitrary code with root privileges on the host process—defeating the entire purpose of the sandboxing mechanism.


The vulnerability exploits a weakness in how Terrarium handles JavaScript prototype chain traversal. An attacker can manipulate JavaScript object prototypes to gain unauthorized access to restricted namespaces and execute system commands on the underlying host. This is particularly dangerous because Terrarium is marketed as a safe execution environment for untrusted code, making it a common component in AI inference pipelines, code execution services, and third-party application sandboxes.


Organizations using Terrarium to execute user-supplied code or external scripts are at immediate risk. The attack requires only the ability to submit code for execution—no special privileges or authentication bypass is needed. Once code execution is achieved, the attacker operates with root-level access, giving them full control over the container and potentially the host infrastructure.


## Severity and Impact


| Field | Details |

|-------|---------|

| CVE Identifier | CVE-2026-5752 |

| CVSS Score | 9.3 (Critical) |

| CVSS Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |

| Attack Vector | Network (N) |

| Attack Complexity | Low (L) |

| Privileges Required | None (N) |

| User Interaction | None (N) |

| Scope | Changed (C) |

| Confidentiality Impact | High (H) |

| Integrity Impact | High (H) |

| Availability Impact | High (H) |

| CWE Identifier | CWE-94 (Code Injection), CWE-668 (Exposure of Resource to Wrong Sphere) |


The critical CVSS rating reflects the severe nature of this vulnerability. The low attack complexity means no special tools or techniques are required—a simple JavaScript payload can trigger the escape. The fact that no authentication or user interaction is required makes this exploitable in any scenario where Terrarium processes user input.


## Affected Products


Cohere Terrarium:

  • Version 1.0 through 1.4.x
  • Python sandbox module (all affected builds prior to patch)

    • Organizations should verify their exact Terrarium version using:

    python -m terrarium --version

    The vulnerability affects all installations of Terrarium within the vulnerable version range, regardless of deployment method (Docker containers, native Python environments, or cloud-hosted instances).


    ## Mitigations


    Immediate Actions:


    1. Update Terrarium immediately to version 1.5.0 or later once it becomes available. This patch addresses the prototype chain traversal vulnerability at its source.


    2. Disable Terrarium sandboxing temporarily if upgrading is not immediately possible and you are executing any untrusted code. This is a safety measure only—consult with your security team on safe alternatives.


    3. Implement network segmentation to isolate systems running Terrarium from sensitive infrastructure. Use firewall rules to restrict outbound connections from sandbox hosts to critical internal systems, databases, and services.


    4. Audit execution logs to identify any suspicious JavaScript code or prototype manipulation attempts. Look for patterns such as:

    - References to __proto__ or prototype in submitted code

    - Attempts to access process, require, or child_process modules

    - Unusual shell commands in execution logs


    5. Restrict code submission to trusted sources only while the patch is pending. If you operate a public API that accepts user code, consider temporarily disabling that feature or requiring explicit approval before code execution.


    6. Monitor for compromise indicators including:

    - Unexpected outbound connections from sandbox containers

    - Unusual resource consumption or long-running processes

    - Creation of new user accounts or SSH keys on host systems

    - Changes to container images or base layers


    Long-term Recommendations:


  • Implement defense-in-depth by running Terrarium containers with the principle of least privilege (no root user)
  • Use container security tools like seccomp, AppArmor, or SELinux to further restrict system calls
  • Enable code review workflows for any Terrarium execution in production environments
  • Subscribe to Cohere security advisories to stay informed of future vulnerabilities

    • ## References


  • [Cohere AI Security Advisory (Official)](https://cohere.ai/security) — check for official CVE-2026-5752 patch announcement
  • [NIST CVE Database: CVE-2026-5752](https://nvd.nist.gov/vuln/detail/CVE-2026-5752)
  • [CWE-94: Improper Control of Generation of Code](https://cwe.mitre.org/data/definitions/94.html)
  • [Terrarium GitHub Repository](https://github.com/cohere-ai/terrarium) — check releases for patched versions
  • [OWASP Code Injection Prevention](https://owasp.org/www-community/attacks/Code_Injection)

    • ---


    Recommendation: Organizations operating production systems that depend on Terrarium should prioritize this patch as critical. The combination of no authentication requirements and root-level code execution makes this one of the most severe sandbox escapes reported this year. If you cannot patch immediately, disable the affected functionality until a fix is deployed.