Platform
nodejs
Component
@nyariv/sandboxjs
Fixed in
0.8.37
0.8.36
CVE-2026-34208 is a critical remote code execution (RCE) vulnerability affecting the @nyariv/sandboxjs JavaScript library. This flaw allows attackers to bypass sandbox restrictions and manipulate host global objects, potentially leading to complete system compromise. The vulnerability impacts versions prior to 0.8.36 and is addressed by upgrading to the patched version. Public disclosure occurred on 2026-04-03.
The core of the vulnerability lies in the sandbox's inability to fully prevent assignment to global objects. While direct assignment is blocked, a bypass exists through the this.constructor.call(target, attackerObject) path. Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is permitted, malicious code can leverage this to write arbitrary properties into the host's global objects. This is particularly dangerous because these mutations persist across sandbox instances within the same process. An attacker could, for example, overwrite critical functions like Math.random or inject malicious code into existing objects, effectively gaining control over the application's execution environment. The potential for lateral movement is significant if the compromised application has access to sensitive resources or other systems.
This vulnerability was publicly disclosed on 2026-04-03. The availability of a public description and the critical severity suggest a high probability of exploitation. There is currently no indication of active exploitation campaigns or inclusion in the CISA KEV catalog, but the ease of exploitation makes it a likely target. Public proof-of-concept code is expected to emerge quickly.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to @nyariv/sandboxjs version 0.8.36 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to Function.prototype.call within the sandbox environment. This can be achieved by modifying the sandbox configuration to explicitly disallow this method. Additionally, carefully review any code that utilizes @nyariv/sandboxjs and ensure that it does not inadvertently expose the vulnerable constructor path. After upgrading, confirm the fix by attempting to execute code that previously triggered the vulnerability and verifying that the sandbox restrictions are now enforced.
Update SandboxJS to version 0.8.36 or higher to mitigate the sandbox integrity escape vulnerability. This update fixes the issue by allowing direct assignments to global objects to be blocked correctly, preventing malicious code from writing arbitrary properties to the host global objects.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34208 is a critical remote code execution vulnerability in the @nyariv/sandboxjs library, allowing attackers to bypass sandbox restrictions and execute arbitrary code.
You are affected if you are using @nyariv/sandboxjs versions prior to 0.8.36. Immediately assess your dependencies and upgrade if necessary.
Upgrade to @nyariv/sandboxjs version 0.8.36 or later. As a temporary workaround, restrict access to Function.prototype.call within the sandbox configuration.
While there is no confirmed active exploitation at this time, the vulnerability's critical severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the @nyariv/sandboxjs project's official advisory channels and GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.