Vulnerability Details CVE-2026-34211
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.2%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-34211
-
cpe:2.3:a:nyariv:sandboxjs:0.1.0
-
cpe:2.3:a:nyariv:sandboxjs:0.1.1
-
cpe:2.3:a:nyariv:sandboxjs:0.2.0
-
cpe:2.3:a:nyariv:sandboxjs:0.2.1
-
cpe:2.3:a:nyariv:sandboxjs:0.2.2
-
cpe:2.3:a:nyariv:sandboxjs:0.2.3
-
cpe:2.3:a:nyariv:sandboxjs:0.3.0
-
cpe:2.3:a:nyariv:sandboxjs:0.3.1
-
cpe:2.3:a:nyariv:sandboxjs:0.3.10
-
cpe:2.3:a:nyariv:sandboxjs:0.3.11
-
cpe:2.3:a:nyariv:sandboxjs:0.3.12
-
cpe:2.3:a:nyariv:sandboxjs:0.3.13
-
cpe:2.3:a:nyariv:sandboxjs:0.3.14
-
cpe:2.3:a:nyariv:sandboxjs:0.3.15
-
cpe:2.3:a:nyariv:sandboxjs:0.3.16
-
cpe:2.3:a:nyariv:sandboxjs:0.3.17
-
cpe:2.3:a:nyariv:sandboxjs:0.3.18
-
cpe:2.3:a:nyariv:sandboxjs:0.3.2
-
cpe:2.3:a:nyariv:sandboxjs:0.3.3
-
cpe:2.3:a:nyariv:sandboxjs:0.3.4
-
cpe:2.3:a:nyariv:sandboxjs:0.3.5
-
cpe:2.3:a:nyariv:sandboxjs:0.3.6
-
cpe:2.3:a:nyariv:sandboxjs:0.3.7
-
cpe:2.3:a:nyariv:sandboxjs:0.3.8
-
cpe:2.3:a:nyariv:sandboxjs:0.3.9
-
cpe:2.3:a:nyariv:sandboxjs:0.4.0
-
cpe:2.3:a:nyariv:sandboxjs:0.5.0
-
cpe:2.3:a:nyariv:sandboxjs:0.5.2
-
cpe:2.3:a:nyariv:sandboxjs:0.5.3
-
cpe:2.3:a:nyariv:sandboxjs:0.6.0
-
cpe:2.3:a:nyariv:sandboxjs:0.6.1
-
cpe:2.3:a:nyariv:sandboxjs:0.6.2
-
cpe:2.3:a:nyariv:sandboxjs:0.7.0
-
cpe:2.3:a:nyariv:sandboxjs:0.7.1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.0
-
cpe:2.3:a:nyariv:sandboxjs:0.8.1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.10
-
cpe:2.3:a:nyariv:sandboxjs:0.8.11
-
cpe:2.3:a:nyariv:sandboxjs:0.8.12
-
cpe:2.3:a:nyariv:sandboxjs:0.8.14
-
cpe:2.3:a:nyariv:sandboxjs:0.8.15
-
cpe:2.3:a:nyariv:sandboxjs:0.8.15.1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.16
-
cpe:2.3:a:nyariv:sandboxjs:0.8.17
-
cpe:2.3:a:nyariv:sandboxjs:0.8.18
-
cpe:2.3:a:nyariv:sandboxjs:0.8.19
-
cpe:2.3:a:nyariv:sandboxjs:0.8.2
-
cpe:2.3:a:nyariv:sandboxjs:0.8.20
-
cpe:2.3:a:nyariv:sandboxjs:0.8.21
-
cpe:2.3:a:nyariv:sandboxjs:0.8.22
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23-1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23.2
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23.3
-
cpe:2.3:a:nyariv:sandboxjs:0.8.24
-
cpe:2.3:a:nyariv:sandboxjs:0.8.24-1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.24-2
-
cpe:2.3:a:nyariv:sandboxjs:0.8.25
-
cpe:2.3:a:nyariv:sandboxjs:0.8.26
-
cpe:2.3:a:nyariv:sandboxjs:0.8.27
-
cpe:2.3:a:nyariv:sandboxjs:0.8.28
-
cpe:2.3:a:nyariv:sandboxjs:0.8.29
-
cpe:2.3:a:nyariv:sandboxjs:0.8.3
-
cpe:2.3:a:nyariv:sandboxjs:0.8.30
-
cpe:2.3:a:nyariv:sandboxjs:0.8.31
-
cpe:2.3:a:nyariv:sandboxjs:0.8.4
-
cpe:2.3:a:nyariv:sandboxjs:0.8.5
-
cpe:2.3:a:nyariv:sandboxjs:0.8.6
-
cpe:2.3:a:nyariv:sandboxjs:0.8.7
-
cpe:2.3:a:nyariv:sandboxjs:0.8.8
-
cpe:2.3:a:nyariv:sandboxjs:0.8.9