Critical Cohere AI Terrarium Sandbox Escape Allows Root Code Execution via JavaScript Prototype Chain Traversal (CVE-2026-5752)
A critical sandbox escape vulnerability has been disclosed in Terrarium, an open-source Python sandbox developed by Cohere AI for running untrusted code in Docker-deployed containers. Tracked as CVE-2026-5752 with a CVSS score of 9.3, the flaw allows attackers to break out of the sandbox and execute arbitrary system commands as root within the container — with potential for further container escape and privilege escalation.
Terrarium is designed to safely execute untrusted Python code written by users or generated by large language models. It runs on Pyodide, a Python distribution for browser and Node.js environments that supports standard Python packages. The project has 312 stars and 56 forks on GitHub, indicating meaningful adoption across the AI development community.
The root cause is a JavaScript prototype chain traversal in the Pyodide WebAssembly environment. The sandbox fails to adequately prevent access to parent or global object prototypes, allowing sandboxed code to reference and manipulate objects in the host environment. This prototype pollution technique bypasses the sandbox's intended security boundaries entirely, granting code execution with elevated privileges on the host Node.js process.
An attacker who exploits the flaw can execute arbitrary system commands as root within the container, access sensitive files such as /etc/passwd, reach other services on the container's network, and potentially escape the container to escalate privileges further into the host environment. The attack requires local access but no user interaction or special privileges.
The vulnerability was discovered by security researcher Jeremy Brown and coordinated through CERT/CC. The critical complicating factor: Terrarium is no longer actively maintained by Cohere AI, meaning no patch is expected. Any organization currently running Terrarium in production is operating with an unpatched CVSS 9.3 vulnerability that will not be fixed upstream.
Mitigation:
Organizations running Terrarium should evaluate whether continued use is viable given the severity and the absence of any incoming patch. If the sandbox cannot be decommissioned immediately, disable any features that allow users to submit code to it. Segment the network around Terrarium containers to limit lateral movement in the event of exploitation. Deploy monitoring for suspicious container activity including unexpected process execution, file access outside normal patterns, and outbound network connections from the container. Restrict container access to authorized personnel only and ensure container orchestration tooling enforces least-privilege configurations. Long term, migrate to an actively maintained sandboxing solution.
