SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36.

Affected Products

Vendor	Product	Versions
nyariv	sandboxjs	< 0.8.36

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-34217 | nyariv SandboxJS up to 0.8.35 exposure of resource (GHSA-hg73-4w7g-q96w)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

@nyariv/sandboxjs@0.8.36

CWECWE-668

PublishedApr 3, 2026

Last enriched3h agov2

Community Vote

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, marked as actively exploited, and noted no available exploit.

severityactivelyExploited

via VulDB

v12d ago

Initial creation

SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History