21.04.2026
4 min
173
A critical vulnerability has been discovered in Cohere’s Terrarium sandbox environment that could allow arbitrary code to be executed with root privileges and potentially go outside the container. The risk is rated at 9.3 on CVSS, making it one of the most dangerous in the field of code isolation.
There have recently been reports regarding a serious flaw in the Python sandbox Terrarium, potentially allowing for an attacker to inject arbitrary code into your application. As a result of this issue being identified, it has been given the ID CVE-2026-5752. Additionally, according to the Common Vulnerability Scoring System (CVSS), the severity of this issue is rated as 9.3.
Terrarium is a sandboxed development environment developed by Cohere. Its primary purpose is to enable developers to test their applications in isolation from each other. Terrarium is most commonly installed as a Docker container. Once installed as a container, Terrarium creates a sandboxed environment where developers can test untrusted code. In Terrarium’s case, the untrusted code typically comes from a Large Language Model (LLM).
In addition to Terrarium being a sandboxed environment, it utilizes the same underlying architecture as the Python WebAssembly environment. It is within the Python WebAssembly environment that the mechanism for bypassing the JavaScript prototype chain exists. However, due to this feature, when an attacker successfully bypasses the sandbox restrictions of Terrarium, they gain enough permissions to execute code at the Node.js host process level using elevated rights.
From an attacker’s perspective, this enables them to execute shell commands outside of the sandbox and obtain elevated privileges to do so. An attacker can use these abilities to view sensitive files (/etc/passwd) and interact with other services on the container network. Moreover, an attacker may attempt to completely escape from the container with further privilege escalation.
One key distinction about this vulnerability is that in order to exploit it, an attacker will require only local access to the affected system; no additional user interaction or elevated rights are needed. This significantly reduces the complexity of the attack.
Terrarium uses Pyodide to enable running Python code in both browsers and Node.js environments with standard packages available. While Terrarium is an open-source project with hundreds of stars and dozens of forks, it is currently not actively maintained. Therefore, there is some uncertainty around whether the vulnerability is still present.
Security Researcher Jeremy Brown first found this vulnerability and submitted his findings. Experts claim that one reason why the sandbox is unable to effectively block access to global objects is because of how much code inside the sandbox interacts with the host environment and therefore bypasses security boundaries.
To help mitigate risk related to CERT/CC recommends following three basic recommendations:
Disable the ability to run user code in a sandbox unless absolutely necessary.
Limit the amount of network access for containers in order to reduce potential impact from attacks like this.
Use a web application firewall (WAF) to prevent malicious traffic from entering your application.
Monitor all activity occurring within your containers for any signs of abnormal behavior.
Restrict access to your containers to only trusted users.
Only utilize secure orchestration tools.
Regularly keep your dependencies up-to-date.
Again, another example of a fundamental truth – while sandboxes are designed to isolate harmful code away from your own application, the very existence of those sandboxes can be utilized as an entry point for attackers if proper protections are not put into place.
