CVE-2026-34208
Received Received - Intake
Prototype Pollution in SandboxJS Allows Persistent Global Object Mutation

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34208
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nyariv sandboxjs to 0.8.36 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-34208 allows attacker-controlled code to mutate shared host global objects persistently and across sandbox instances, leading to a complete sandbox boundary break and potential remote code execution.

Such a vulnerability can severely impact the confidentiality, integrity, and availability of data and systems, which are core requirements in common standards and regulations like GDPR and HIPAA.

Specifically, unauthorized data access and modification enabled by this vulnerability could lead to violations of data protection and privacy requirements mandated by these regulations.

Therefore, if exploited in an environment subject to these standards, this vulnerability could cause non-compliance due to failure to adequately protect sensitive data and maintain system integrity.

Executive Summary

CVE-2026-34208 is a critical vulnerability in the SandboxJS JavaScript sandboxing library versions prior to 0.8.36. SandboxJS tries to prevent direct assignment to global objects like Math.random by blocking such operations. However, this protection can be bypassed because the library exposes a callable constructor function internally called SandboxGlobal. Attacker code can use this constructor via this.constructor.call(target, attackerObject) to write arbitrary properties into host global objects.

This bypass allows malicious code to mutate global objects such as Math or JSON, and these mutations persist across different sandbox instances within the same process. This means the sandbox boundary is completely broken, allowing attacker-controlled code to affect the host environment.

The vulnerability arises because the protection only applies to direct assignments, but calling the constructor function with Function.prototype.call is allowed, enabling attackers to inject malicious properties or functions into global objects.

Impact Analysis

This vulnerability can have severe impacts because it allows untrusted sandboxed code to mutate shared host global objects despite explicit protections. These mutations persist process-wide and can affect all sandbox instances running in the same process.

Such persistent contamination can lead to hijacking of application control flow that relies on trusted built-in objects, potentially resulting in remote code execution. For example, attackers can overwrite Math.random or inject commands that can be executed on the host system.

The CVSS v3.1 base score is 10.0 (Critical), indicating that the vulnerability is easy to exploit remotely without privileges or user interaction, and it can cause high confidentiality and integrity impacts along with some availability impact.

Detection Guidance

This vulnerability can be detected by checking if the SandboxJS version in use is prior to 0.8.36, as versions before this are vulnerable.

To detect exploitation attempts or presence of the vulnerability, you can look for unexpected mutations in global objects such as Math or JSON within the Node.js process, especially if properties like Math.random have been overwritten.

Since the vulnerability involves the use of the constructor call bypass, monitoring or logging JavaScript code that uses patterns like `this.constructor.call(target, attackerObject)` could help detect exploitation.

There are no specific network commands provided, but within a Node.js environment, you can run commands to check the version of SandboxJS installed, for example:

  • npm list sandboxjs
  • npm ls sandboxjs

To check if Math.random or other global objects have been tampered with, you can run a Node.js script to verify their behavior or properties.

  • node -e "console.log(Math.random())" # Check if Math.random returns expected random values
  • node -e "console.log(typeof Math.random)" # Should be 'function'

If Math.random or other global functions return unexpected values or types, it may indicate exploitation.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade SandboxJS to version 0.8.36 or later, where this vulnerability is fixed.

Avoid running untrusted or potentially malicious code within SandboxJS versions prior to 0.8.36, as the sandbox protections can be bypassed.

Review and restrict the use of sandboxed code that might exploit the constructor call bypass to mutate global objects.

Consider monitoring or auditing your application for unexpected mutations of global objects like Math or JSON, which could indicate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart