CVE-2026-34211

HIGH

SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Title source: cna

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.

References (1)

[X_Refsource_Confirm] https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 17.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (3)

nyariv/sandboxjs < 0.8.36

nyariv/sandboxjs 0 - 0.8.36npm

nyariv/SandboxJS < 0.8.36

Published Apr 06, 2026

Tracked Since Apr 06, 2026