CRITICAL🇵🇱 Wersja polska

CVE-2026-34208

CVSS 10.0v3.1pub. 2026-04-06upd. 2026-04-09

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.

🤖 AI Analysis
How it works

SandboxJS blocks direct assignment of properties to global objects (e.g., Math.random = ...), however this protection can be bypassed by calling this.constructor.call(target, attackerObject). Since this.constructor points to the internal SandboxGlobal function, and Function.prototype.call is allowed, attacker code can write arbitrary properties to global host objects. These mutations are permanent and persist across all sandbox instances running in the same process, effectively breaking the isolation boundary.

Impact

An attacker can permanently modify global objects in the host environment, leading to data integrity violations, potential information disclosure, and takeover of control over the logic of other sandbox instances running in the same process.

Mitigation & patch

The SandboxJS library should be updated to version 0.8.36 or later, where the vulnerability has been fixed. Details available in the vendor's references (GitHub Security Advisory GHSA-2gg9-6p7w-6cpj).

Who is affected

Nyariv SandboxJS in versions earlier than 0.8.36

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
  • Nyariv Sandboxjs

    APP
    Nyariv
    < 0.8.36
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-43898CRITICAL10.0PL ✓ten sam produkt

SandboxJS: ucieczka z piaskownicy przez Function.caller i RCE

CVE-2026-26954CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandbox w bibliotece Nyariv SandboxJS (RCE)

CVE-2026-25881CRITICAL9.0PL ✓ten sam produkt

SandboxJS: ucieczka z sandboxu i prototype pollution umożliwiająca RCE

CVE-2026-25520CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w SandboxJS — wykonanie kodu poza piaskownicą

CVE-2026-25587CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece SandboxJS poprzez nadpisanie Map.prototype