Vulnerability in Nyariv Sandboxjs

CVE-2026-34211

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parse…

EPSS: 0.001 (24.0th percentile) — read the EPSS interpretation.

Affected products

Nyariv Sandboxjs — versions < 0.8.36

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26 (x_refsource_CONFIRM)