SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Description

A vulnerability marked as problematic has been reported in nyariv SandboxJS up to 0.8.35. Affected is the function restOfExp. The manipulation leads to uncontrolled recursion. This vulnerability is documented as CVE-2026-34211. The attack can be initiated remotely.

Affected Products

Vendor	Product	Versions
nyariv	sandboxjs	< 0.8.36

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-34211 | nyariv SandboxJS up to 0.8.35 restOfExp recursion (GHSA-8pfc-jjgw-6g26)

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

@nyariv/sandboxjs@0.8.36

CWECWE-674

PublishedApr 3, 2026

Last enriched5h agov2

Community Vote

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated description with new details, changed severity to HIGH, set CVSS estimate to 7.5, and marked the vulnerability as actively exploited.

descriptionseveritycvssEstimateactivelyExploited

via VulDB

v12d ago

Initial creation

SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History