Two sandboxes. Two AI labs. Seven months apart. Same class of failure. On September 22, 2025, OpenAI published GHSA-w5fx-fh39-j5rw. Codex CLI versions 0.2.0 through 0.38.0 had a sandbox bypass. The cwd (current working directory) that the model suggested was being treated as the sandbox's writable root. If the model decided, through whatever chain of reasoning or injection, that it needed to work in /etc , the sandbox would dutifully mark /etc as writable. On April 14, 2026, GHSA-cmpr-pw8g-6q6c landed. Cohere Terrarium, a Python sandbox built to run LLM-generated code, scored 9.3. Root code execution on the host, from inside the sandbox, via JavaScript prototype chain traversal. Then there's the other thing. CERT/CC had notified Cohere on February 19, 2026, and published VU#414811 on April 21. Sixty-one days, sixteen past CERT's standard 45-day disclosure window. On the live advisory today, Cohere's vendor status is still listed as "Unknown," and under "Vendor Statement" CERT writes: "We have not received a statement from the vendor." As far as I can find in public kb.cert.org listings, this is the first published CERT/CC advisory against a major AI lab where the vendor went that long without responding. Different labs. Different stacks. Different bug classes (one CWE-20 input validation, one prototype walk through Pyodide's FFI). Both sandboxes built to contain code written by language models. Both failed at the first principle of confinement, which is that untrusted code shouldn't be able to reach out and touch the host. That's the story worth telling. What actually happened in Codex CLI ​ OpenAI's root cause, in their own words: "Codex CLI could treat a model-generated cwd as the sandbox's writable root, including paths outside of the folder where the user started their session." (GHSA-w5fx-fh39-j5rw) The fix is telling. PR #3874, merged as part of 0.39.0 on September 18, 2025, is titled "fix: ensure cwd for conversation and sandbox are separate concerns." Two path variables where there used to be one: command_cwd (what the model asks for) and sandbox_policy_cwd (the user's actual session boundary). The sandbox policy now derives from the user's session. The model's suggestion is still honored for running the command, but it can't redefine what the sandbox is. Read that slowly. The bug wasn't that Codex failed to block a known attack. The bug was that the sandbox treated a value the model controls as authoritative for the sandbox's own boundary. CVSS v4 8.6. CWE-20 (improper input validation). The advisory notes the network-disabled restriction wasn't bypassed by this, only the filesystem boundary. Small consolation if the Codex process had permission to write your SSH config. What actually happened in Terrarium ​ Terrarium is a simple idea. Cohere's data agents generate Python code. The code needs to run somewhere that isn't the main server. So it runs inside Pyodide, which is CPython compiled to WebAssembly, wrapped in a Node.js HTTP server, wrapped in a Docker container. The README is honest about the threat model, even preemptively: "Cohere does not give any guarantees for the sandbox integrity." That caveat turned out to be more important than it looked. CERT's technical breakdown, from VU#414811: "The root cause of the vulnerability lies in the configuration of jsglobals objects in service.ts ." "the mock document object is created using a standard JavaScript object literal, which inherits properties from Object.prototype ." "This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns globalThis , and from there access Node.js internals, including require() ." To understand why this matters, you have to understand what Pyodide actually is. Pyodide isn't a sandbox ​ This is the part nobody's been writing about. Pyodide's own description: "Pyodide is a Python distribution for the browser and Node.js based on WebAssembly." It is not, and has never claimed to be, a security boundary. The Pyodide project documents an FFI (foreign function interface) between Python and JavaScript, and the whole point of the FFI is that Python code can reach into JavaScript objects. From Pyodide's type conversion docs: "JavaScript objects in the globalThis global scope can be imported into Python using the js module." There's an option when initializing Pyodide called jsglobals that lets the embedder swap out which JavaScript scope Python's js module sees. Default value: globalThis . That is, by default, Python running inside Pyodide has read/write access to the host JavaScript runtime's global scope. Terrarium tried to restrict this by passing a custom jsglobals object, a plain JavaScript object literal containing a mock document . This is where the CVE lives. In JavaScript, a plain object literal ( {} ) inherits from Object.prototype . Which means every JavaScript object the sandbox can see has a .constructor property. And constructor.constructor is the Function ...