CVE-2026-34208: CWE-693: Protection Mechanism Failure in nyariv SandboxJS
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
AI Analysis
Technical Summary
SandboxJS versions before 0.8.36 contain a protection mechanism failure (CWE-693) that allows attackers to bypass restrictions on modifying global objects. The vulnerability arises because the constructor property resolves to an internal SandboxGlobal function, and Function.prototype.call is permitted, enabling attacker-controlled code to write arbitrary properties into host global objects. These changes persist across sandbox instances in the same process, compromising sandbox isolation. This issue is addressed in version 0.8.36 of SandboxJS.
Potential Impact
Successful exploitation allows an attacker to modify global objects arbitrarily, leading to persistent mutations that affect all sandbox instances within the same process. This compromises the sandbox's isolation guarantees, potentially enabling full compromise of the host environment's confidentiality and integrity. Availability impact is low. The CVSS score of 10.0 reflects the critical nature of this vulnerability.
Mitigation Recommendations
Upgrade SandboxJS to version 0.8.36 or later, where this vulnerability is fixed. Since the vulnerability is resolved in this version, no additional mitigation steps are required beyond applying the update. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 0.8.36.
CVE-2026-34208: CWE-693: Protection Mechanism Failure in nyariv SandboxJS
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SandboxJS versions before 0.8.36 contain a protection mechanism failure (CWE-693) that allows attackers to bypass restrictions on modifying global objects. The vulnerability arises because the constructor property resolves to an internal SandboxGlobal function, and Function.prototype.call is permitted, enabling attacker-controlled code to write arbitrary properties into host global objects. These changes persist across sandbox instances in the same process, compromising sandbox isolation. This issue is addressed in version 0.8.36 of SandboxJS.
Potential Impact
Successful exploitation allows an attacker to modify global objects arbitrarily, leading to persistent mutations that affect all sandbox instances within the same process. This compromises the sandbox's isolation guarantees, potentially enabling full compromise of the host environment's confidentiality and integrity. Availability impact is low. The CVSS score of 10.0 reflects the critical nature of this vulnerability.
Mitigation Recommendations
Upgrade SandboxJS to version 0.8.36 or later, where this vulnerability is fixed. Since the vulnerability is resolved in this version, no additional mitigation steps are required beyond applying the update. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 0.8.36.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-26T15:57:52.324Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3d1a00a160ebd92c130d3
Added to database: 4/6/2026, 3:30:40 PM
Last enriched: 4/6/2026, 3:45:36 PM
Last updated: 4/7/2026, 7:09:15 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.