CVE-2026-34211
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
13th
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.
| CWE | CWE-674 |
| Vendor | nyariv |
| Product | sandboxjs |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for nyariv sandboxjs
Be the first to know when new high vulnerabilities affecting nyariv sandboxjs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
nyariv / SandboxJS
< 0.8.36