CVE-2026-34208
Prototype Pollution in SandboxJS Allows Persistent Global Object Mutation
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nyariv | sandboxjs | to 0.8.36 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34208 is a critical vulnerability in the SandboxJS JavaScript sandboxing library versions prior to 0.8.36. SandboxJS tries to prevent direct assignment to global objects like Math.random by blocking such operations. However, this protection can be bypassed because the library exposes a callable constructor function internally called SandboxGlobal. Attacker code can use this constructor via this.constructor.call(target, attackerObject) to write arbitrary properties into host global objects.
This bypass allows malicious code to mutate global objects such as Math or JSON, and these mutations persist across different sandbox instances within the same process. This means the sandbox boundary is completely broken, allowing attacker-controlled code to affect the host environment.
The vulnerability arises because the protection only applies to direct assignments, but calling the constructor function with Function.prototype.call is allowed, enabling attackers to inject malicious properties or functions into global objects.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34208 allows attacker-controlled code to mutate shared host global objects persistently and across sandbox instances, leading to a complete sandbox boundary break and potential remote code execution.
Such a vulnerability can severely impact the confidentiality, integrity, and availability of data and systems, which are core requirements in common standards and regulations like GDPR and HIPAA.
Specifically, unauthorized data access and modification enabled by this vulnerability could lead to violations of data protection and privacy requirements mandated by these regulations.
Therefore, if exploited in an environment subject to these standards, this vulnerability could cause non-compliance due to failure to adequately protect sensitive data and maintain system integrity.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows untrusted sandboxed code to mutate shared host global objects despite explicit protections. These mutations persist process-wide and can affect all sandbox instances running in the same process.
Such persistent contamination can lead to hijacking of application control flow that relies on trusted built-in objects, potentially resulting in remote code execution. For example, attackers can overwrite Math.random or inject commands that can be executed on the host system.
The CVSS v3.1 base score is 10.0 (Critical), indicating that the vulnerability is easy to exploit remotely without privileges or user interaction, and it can cause high confidentiality and integrity impacts along with some availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the SandboxJS version in use is prior to 0.8.36, as versions before this are vulnerable.
To detect exploitation attempts or presence of the vulnerability, you can look for unexpected mutations in global objects such as Math or JSON within the Node.js process, especially if properties like Math.random have been overwritten.
Since the vulnerability involves the use of the constructor call bypass, monitoring or logging JavaScript code that uses patterns like `this.constructor.call(target, attackerObject)` could help detect exploitation.
There are no specific network commands provided, but within a Node.js environment, you can run commands to check the version of SandboxJS installed, for example:
- npm list sandboxjs
- npm ls sandboxjs
To check if Math.random or other global objects have been tampered with, you can run a Node.js script to verify their behavior or properties.
- node -e "console.log(Math.random())" # Check if Math.random returns expected random values
- node -e "console.log(typeof Math.random)" # Should be 'function'
If Math.random or other global functions return unexpected values or types, it may indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade SandboxJS to version 0.8.36 or later, where this vulnerability is fixed.
Avoid running untrusted or potentially malicious code within SandboxJS versions prior to 0.8.36, as the sandbox protections can be bypassed.
Review and restrict the use of sandboxed code that might exploit the constructor call bypass to mutate global objects.
Consider monitoring or auditing your application for unexpected mutations of global objects like Math or JSON, which could indicate exploitation.