CVE-2026-45227
heymrun · heym
The heym package contains a sandbox escape vulnerability that allows authenticated attackers to bypass security restrictions via Python introspection.
Executive summary
A critical sandbox escape vulnerability in the heym package allows authenticated attackers to bypass security protections, potentially leading to full system control.
Vulnerability
The software suffers from a Protection Mechanism Failure (CWE-693) that permits sandbox escaping through Python introspection. This vulnerability requires the attacker to have low-level authenticated access (PR:L).
Business impact
A successful sandbox escape allows an attacker to break out of the intended execution environment, leading to potential unauthorized access to the underlying host system. With a CVSS score of 8.8, this vulnerability poses a severe threat to the confidentiality, integrity, and availability of the host environment.
Remediation
Immediate Action: Update the heym package to version 0.0.21 or later to resolve the sandbox escape vulnerability.
Proactive Monitoring: Monitor for unexpected execution of system-level commands or unauthorized file system access originating from the application process.
Compensating Controls: Ensure the application is running with the least privilege necessary, and consider containerization or additional OS-level sandboxing to limit the scope of a potential breakout.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the existence of a proof-of-concept and the high severity of a sandbox escape, users of the heym package should update to version 0.0.21 immediately. Proactive patching is essential to prevent potential host system compromise.