CVE-2026-34211
Published: 06 April 2026
Summary
CVE-2026-34211 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Nyariv Sandboxjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates this CVE by applying the vendor fix in SandboxJS 0.8.36 to bound recursion and prevent stack exhaustion from deeply nested expressions.
Information input validation rejects or sanitizes untrusted inputs with excessive nesting before parsing, preventing the unbounded recursion trigger in the SandboxJS parser.
Denial-of-service protection implements controls like resource limits or rate limiting to mitigate stack exhaustion attacks from crafted recursive inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unbounded recursion vulnerability in the SandboxJS parser directly enables remote attackers to crash Node.js processes handling untrusted input via deeply nested expressions, mapping to application exploitation for endpoint denial of service.
NVD Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions…
more
(e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.
Deeper analysisAI
CVE-2026-34211 affects SandboxJS, a JavaScript sandboxing library, specifically versions prior to 0.8.36 in the @nyariv/sandboxjs parser. The vulnerability stems from unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain, which can be triggered by parsing deeply nested expressions. This leads to a RangeError: Maximum call stack size exceeded in any Node.js process handling untrusted input, resulting in process termination. The issue is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An attacker can exploit this vulnerability remotely over the network with low complexity and no required privileges or user interaction. By supplying malicious input such as approximately 2000 nested parentheses to the parser, the recursion exhausts the Node.js call stack, causing a denial-of-service condition that crashes the affected process. This impacts availability but does not allow confidentiality or integrity violations.
The GitHub security advisory at https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26 confirms the vulnerability and states that it is fixed in SandboxJS version 0.8.36, recommending immediate upgrades for applications parsing untrusted input.
Details
- CWE(s)