Executive Summary

This vulnerability exists in the @nyariv/sandboxjs JavaScript sandboxing library versions up to 0.8.35. It is caused by unbounded recursion in the parser functions, specifically in the restOfExp function and the lispify/lispifyExpr call chain.

When the parser processes deeply nested expressions (such as around 2000 nested parentheses), it recursively calls itself without any limit on recursion depth. This leads to a stack overflow, triggering a RangeError: Maximum call stack size exceeded, which crashes the entire Node.js process.

The root cause is that the recursive functions do not track or limit recursion depth, allowing an attacker to supply crafted input that causes the parser to exceed the maximum call stack size.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in SandboxJS allows an attacker to cause a denial-of-service (DoS) by crashing any Node.js process parsing untrusted input through unbounded recursion. This results in service disruption.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial-of-service vulnerabilities can indirectly affect compliance by causing service unavailability, which may violate availability requirements in these regulations.

However, there is no direct information provided about data breaches, unauthorized access, or data integrity issues related to this vulnerability, which are typically more critical for compliance concerns.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing any Node.js process that uses @nyariv/sandboxjs to parse untrusted input.

An attacker can exploit this by sending a specially crafted input with deeply nested expressions, causing the process to terminate unexpectedly due to a stack overflow error.

Since the error is a RangeError caused by exceeding the maximum call stack size, it cannot be caught or handled normally, resulting in complete service disruption.

This attack is trivial to construct and requires no authentication, making any application using this library vulnerable to easy and effective denial of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing if any Node.js process using @nyariv/sandboxjs crashes with a RangeError indicating 'Maximum call stack size exceeded' when parsing input.

A practical detection method is to run a test script that supplies deeply nested expressions (e.g., around 2000 nested parentheses) to the vulnerable parser and observe if the process crashes.

Example test commands in a Node.js environment could include running a script that attempts to parse such deeply nested input using the vulnerable version of @nyariv/sandboxjs.

• Create a test script that generates deeply nested parentheses or brackets (e.g., 2000 levels).
• Run the script with Node.js using the vulnerable @nyariv/sandboxjs version (≤ 0.8.35).
• Observe if the process crashes with a RangeError: Maximum call stack size exceeded.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the @nyariv/sandboxjs package to version 0.8.36 or later, where the vulnerability is fixed.

The fix involves adding a maximum recursion depth limit (e.g., 256) to the recursive parsing functions to prevent stack overflow crashes.

Until the upgrade is applied, avoid parsing untrusted input with vulnerable versions of @nyariv/sandboxjs to prevent denial-of-service crashes.

Useful 0 Not Useful 0