High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026
CVE-2026-34211
CVE-2026-34211
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nyariv/sandboxjsnpm | < 0.8.36 | 0.8.36 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-8pfc-jjgw-6g26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34211ghsaADVISORY
News mentions
0No linked articles in our index yet.