CVE-2026-34211 Overview
CVE-2026-34211 is a Denial of Service vulnerability affecting the SandboxJS JavaScript sandboxing library. The library's parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process.
Critical Impact
Applications using @nyariv/sandboxjs to parse untrusted JavaScript expressions are vulnerable to complete process termination through crafted deeply nested input, resulting in service unavailability.
Affected Products
- nyariv sandboxjs versions prior to 0.8.36
- Node.js applications using @nyariv/sandboxjs for JavaScript sandboxing
- Web applications and services that parse user-supplied JavaScript expressions
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-34211 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34211
Vulnerability Analysis
This vulnerability stems from uncontrolled recursion (CWE-674) in the SandboxJS parser's expression handling logic. The parser uses recursive descent techniques to process JavaScript expressions, but lacks adequate depth limits when encountering nested constructs. When processing deeply nested expressions, the parser's restOfExp function and the lispify/lispifyExpr call chain recurse without bound, eventually exhausting the JavaScript call stack.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for publicly accessible services. The vulnerability affects availability only—there is no impact on confidentiality or integrity of data.
Root Cause
The root cause is the absence of recursion depth limits in the parser's expression processing functions. The restOfExp function and lispify/lispifyExpr call chain process nested expressions by calling themselves recursively for each level of nesting. Without explicit depth tracking and limits, the parser will continue recursing until the JavaScript engine's call stack is exhausted (typically around 10,000-15,000 frames depending on the environment).
Attack Vector
The attack vector is network-based, requiring the attacker to submit malicious input to an application that uses SandboxJS to parse untrusted JavaScript expressions. The attacker crafts an expression with approximately 2000 or more nested parentheses or similar recursive constructs.
When the SandboxJS parser attempts to process this input, each level of nesting triggers a recursive function call. With ~2000 levels of nesting, the call stack overflows and Node.js throws a RangeError: Maximum call stack size exceeded. Since this error is typically unhandled in the parsing context, it causes the entire Node.js process to crash, resulting in denial of service.
The attack requires minimal complexity—the malicious payload is simply a string of repeated characters (e.g., opening parentheses) and does not require sophisticated exploit development.
Detection Methods for CVE-2026-34211
Indicators of Compromise
- Repeated Node.js process crashes with RangeError: Maximum call stack size exceeded errors
- Application logs showing parsing failures on unusually large or deeply nested input
- HTTP requests containing payloads with thousands of nested parentheses or brackets
- Sudden service unavailability following user input processing
Detection Strategies
- Monitor application logs for RangeError: Maximum call stack size exceeded errors originating from the SandboxJS module
- Implement input validation rules to reject expressions exceeding reasonable nesting depths
- Deploy Web Application Firewall (WAF) rules to detect and block requests with excessive repetition of nesting characters
- Set up process monitoring to alert on unexpected Node.js crashes or restarts
Monitoring Recommendations
- Configure application performance monitoring (APM) to track SandboxJS parsing operations and flag anomalous processing times
- Implement rate limiting on endpoints that accept JavaScript expressions for parsing
- Monitor for unusual patterns in request payloads, particularly those with high character repetition
- Set up automated restart mechanisms with crash reporting to maintain service availability while investigating incidents
How to Mitigate CVE-2026-34211
Immediate Actions Required
- Upgrade @nyariv/sandboxjs to version 0.8.36 or later immediately
- Audit all applications using SandboxJS to identify exposure to untrusted input
- Implement input length and nesting depth validation as a defense-in-depth measure
- Consider rate limiting endpoints that process user-supplied expressions
Patch Information
The vulnerability is fixed in SandboxJS version 0.8.36. The patch implements recursion depth limits in the parser's expression handling functions to prevent call stack exhaustion. Organizations should update their package.json to require the patched version and run npm update or yarn upgrade to apply the fix. For detailed information, refer to the GitHub Security Advisory GHSA-8pfc-jjgw-6g26.
Workarounds
- Implement server-side input validation to reject expressions with excessive nesting before passing to SandboxJS
- Add a pre-processing step that counts nesting depth and rejects input exceeding a safe threshold (e.g., 500 levels)
- Wrap SandboxJS parsing calls in try-catch blocks to gracefully handle RangeError exceptions
- Consider running SandboxJS parsing in isolated worker threads to prevent main process termination
# Update SandboxJS to patched version
npm update @nyariv/sandboxjs@0.8.36
# Verify installed version
npm list @nyariv/sandboxjs
# For yarn users
yarn upgrade @nyariv/sandboxjs@0.8.36
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
