CVE-2026-34217
Published: 06 April 2026
Summary
CVE-2026-34217 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Nyariv Sandboxjs. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the SandboxJS library to version 0.8.36 or later, directly eliminating the scope modification vulnerability exploited via the new operator.
Enforces policies and controls for executing untrusted mobile code like JavaScript in SandboxJS sandboxes, reducing exposure to scope object leakage.
Mandates robust software-enforced separation mechanisms in SandboxJS to isolate untrusted code from internal interpreter objects and scope hierarchy.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the SandboxJS library allows remote supply of untrusted JavaScript code that exploits scope leaks via the new operator, directly enabling exploitation of public-facing applications using the library (T1190) and execution via JavaScript interpreter with unintended scope access (T1059.007).
NVD Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to…
more
untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36.
Deeper analysisAI
CVE-2026-34217 is a scope modification vulnerability in SandboxJS, a JavaScript sandboxing library distributed as @nyariv/sandboxjs. Versions prior to 0.8.36 are affected, where untrusted sandboxed code can leak internal interpreter objects through the new operator. This exposes sandbox scope objects in the scope hierarchy to the untrusted code, representing an unexpected exploit primitive. The issue is rated with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-668 (Exposure of Resource to Wrong Sphere).
The vulnerability can be exploited by any attacker who can supply untrusted JavaScript code to be executed within a SandboxJS sandbox. Exploitation occurs remotely over a network with low complexity and no privileges or user interaction required, but it changes scope. Successful exploitation allows the untrusted code to access and potentially modify scopes inside the sandbox, though code evaluation remains sandboxed and prototypes stay protected, limiting the impact to low confidentiality and integrity violations without availability effects.
The GitHub security advisory (GHSA-hg73-4w7g-q96w) confirms the vulnerability is fixed in SandboxJS version 0.8.36, recommending that users upgrade to this or later versions to mitigate the issue. No additional workarounds are specified in the provided references.
Details
- CWE(s)