CVE-2026-34211 | THREATINT

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-06 | Updated 2026-04-07 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-674: Uncontrolled Recursion

Product status

< 0.8.36

affected

References

github.com/...dboxJS/security/advisories/GHSA-8pfc-jjgw-6g26

cve.org (CVE-2026-34211)

nvd.nist.gov (CVE-2026-34211)

Download JSON