RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: terrarium (2 articles)Clear
vulnerability
CVE-2026-5752
2026-04-22

Cohere's Terrarium AI code sandbox has a root-level escape with no patch coming (CVE-2026-5752, CVSS 9.3)

A critical sandbox-escape flaw in Cohere AI's open-source Terrarium project lets code running inside the sandbox break out and execute arbitrary commands as root on the host Node.js process. Terrarium is a Python sandbox built on Pyodide (a browser- and Node.js-compatible Python distribution running in WebAssembly) and deployed as a Docker container to safely run untrusted code submitted by users or generated by a large language model. That exact use case makes the blast radius real: any AI product using Terrarium to evaluate LLM-generated Python code is giving its models a direct path to root on the container and, from there, potentially on the host. The flaw (CVE-2026-5752, CVSS 9.3) stems from JavaScript prototype chain traversal in the Pyodide WebAssembly environment: sandboxed code can reach parent and global object prototypes to manipulate objects in the host, a technique SentinelOne describes as prototype pollution bypassing the intended security boundaries. Exploitation needs local access to the sandbox but no special privileges or user interaction. The project has been starred 312 times and forked 56 times. Because Cohere is no longer actively maintaining Terrarium, the flaw is unlikely to ever be patched. Security researcher Jeremy Brown reported the issue.

cohereterrariumsandbox-escapepyodidewebassemblyllm-securitycontainer-escapeunpatched
Check
Search your AI and data-engineering stack for any use of Cohere's Terrarium (direct or as a dependency or fork) and identify whether user-submitted or LLM-generated code is routed through it.
Affected
All versions of Cohere AI Terrarium and any fork that inherits the Pyodide prototype traversal issue. The project is unmaintained - no patched version will be published.
Fix
Stop accepting user- or LLM-submitted code into Terrarium sandboxes. CERT/CC advises disabling any feature that submits code to Terrarium, segmenting the network so a compromised container cannot reach other services, restricting container and orchestrator access to authorized personnel, and deploying a WAF to block exploitation patterns. The only durable fix is to migrate off Terrarium to a maintained sandbox (gVisor, Firecracker, or a commercially supported code-execution service) with per-request ephemeral VMs and strict egress controls.
vulnerability
CVE-2026-5752
2026-04-22

Cohere's Terrarium AI sandbox breaks out to root on the host with no vendor patch in sight (CVE-2026-5752)

CERT Coordination Center disclosed CVE-2026-5752, a CVSS 9.3 sandbox escape in Cohere's open source Terrarium, a Python sandbox that runs on Pyodide (a WebAssembly Python distribution for Node.js) and is used to execute untrusted or LLM-generated code inside a Docker container. The flaw lets code running inside the Pyodide sandbox traverse the JavaScript prototype chain to reach the host Node.js Function constructor, compile arbitrary JavaScript in the host realm, and execute it as root inside the container. From that point attackers can read /etc/passwd and environment variables, reach other services on the container network, and attempt a further container escape. Critically, CERT/CC notes it was unable to coordinate a patch with Cohere, so no fix has shipped. Terrarium has 312 GitHub stars and 56 forks - a moderate audience, but anyone running it is a poster-child target for prompt-injection attacks that instruct the LLM to emit sandbox-breaking code. The underlying prototype-chain traversal pattern is the same technique seen in January's CVE-2026-22686 against the enclave-vm sandbox.

cohereterrariumpyodidesandbox-escapeai-infracontainer-escapeno-patchprototype-chain
Check
If you run Terrarium anywhere in your stack (including behind an AI product that evaluates user-supplied Python) take it offline until you can wrap it in a second isolation layer or replace it with a hardened alternative.
Affected
All currently-available versions of Cohere Terrarium (github.com/cohere-ai/cohere-terrarium). The JavaScript prototype-chain traversal in Pyodide WebAssembly is exploitable by any code the sandbox accepts for execution - including code an LLM generates from a user prompt, which is the entire point of the product. CERT/CC confirmed there is no vendor patch as of the advisory.
Fix
Disable any feature that lets users (or an upstream LLM) submit arbitrary code to Terrarium. Wrap Terrarium deployments in a second isolation layer - gVisor or Firecracker microVMs for stronger kernel isolation, strict network egress policies, read-only root filesystems, and dropped Linux capabilities including CAP_SYS_ADMIN. Segment Terrarium containers so they cannot reach internal APIs, databases, or metadata services. Monitor for unexpected root-level process creation inside Terrarium containers and alert on any Node.js Function constructor invocation originating from sandbox code. For new AI-code-execution use cases, evaluate alternatives like the Deno-based approach with explicit permission flags or E2B's hardened cloud sandboxes.