High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026
CVE-2026-34211
CVE-2026-34211
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nyariv/sandboxjsnpm | < 0.8.36 | 0.8.36 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-8pfc-jjgw-6g26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34211ghsaADVISORY
News mentions
0No linked articles in our index yet.