CVE-2026-34208: SandboxJS Global Object Bypass (Critical)
Platform
nodejs
Component
sandboxjs
Fixed in
0.8.36
CVE-2026-34208 is a critical security vulnerability in the @nyariv/sandboxjs library that allows attackers to bypass protections against direct assignment to global objects. This bypass is achieved through an exposed callable constructor path, enabling arbitrary property writes into host global objects, persisting mutations across sandbox instances. This issue affects versions prior to 0.8.36 and is resolved in version 0.8.36.
How to fix
Actualice SandboxJS a la versión 0.8.36 o superior para mitigar la vulnerabilidad de escape de integridad de la sandbox. Esta actualización corrige el problema permitiendo que las asignaciones directas a objetos globales estén bloqueadas correctamente, evitando que el código malicioso escriba propiedades arbitrarias en los objetos globales del host.
Frequently asked questions
What is CVE-2026-34208?
CVE-2026-34208 is a critical vulnerability in @nyariv/sandboxjs that allows attackers to bypass protections and write arbitrary properties into global objects, affecting all sandbox instances.
Am I affected by CVE-2026-34208?
You are affected if you are using a version of @nyariv/sandboxjs prior to 0.8.36. This vulnerability allows attackers to modify global objects, potentially leading to significant security risks.
How do I fix CVE-2026-34208?
To fix CVE-2026-34208, upgrade to version 0.8.36 or later of the @nyariv/sandboxjs library. This version contains the necessary patch to prevent the global object bypass.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free