Executive Summary

CVE-2026-34217 is a scope modification vulnerability in the npm package @nyariv/sandboxjs versions 0.8.35 and below. The flaw exists in the "New" operator handler within the sandbox interpreter, where constructor arguments and return values are not properly sanitized.

When sandboxed code executes a new constructor call, the arguments are passed directly as raw internal Prop objects, which contain references to the sandbox's scope objects. These internal objects include references to global JavaScript objects like globalThis, Function, eval, console, Array, and Object.

Because these Prop objects are not sanitized, malicious sandboxed code can access and leak internal scope objects by reading the context property of a Prop passed as a constructor argument. This allows untrusted code to modify or access variables beyond its intended sandbox scope.

Although code evaluation remains sandboxed and prototypes remain protected, this vulnerability enables unexpected and undesired scope modifications inside the sandbox.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker controlling sandboxed code to escalate privileges by accessing and modifying variables outside their allowed sandbox scope without authentication or user interaction.

An attacker can leak internal interpreter objects and global scope references, potentially leading to unauthorized access or manipulation of sensitive data or functionality within the sandbox environment.

While the sandboxed code evaluation and prototypes remain protected, the ability to modify scopes inside the sandbox can lead to unexpected behavior and security risks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves untrusted sandboxed code leaking internal interpreter objects through the new operator in the @nyariv/sandboxjs library. Detection involves analyzing the behavior of sandboxed code that uses the new operator to see if it can access or leak internal scope objects.

Specifically, you can look for sandboxed code that constructs objects with the new operator and inspects constructor arguments or return values for references to internal scope objects or Prop objects that expose the sandbox's variable storage.

Since the vulnerability is in the handling of the new operator in the sandbox interpreter, commands or scripts that monitor or log usage of the new operator within sandboxed code, or that detect unexpected access to internal scope variables, can help identify exploitation attempts.

However, no explicit detection commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, the critical fix is to update the @nyariv/sandboxjs package to version 0.8.36 or later, where the New operator handler properly sanitizes constructor arguments and return values.

• Modify the New handler to apply the sanitization functions `valueOrProp()` to constructor arguments and sanitize the constructed object before returning it.
• Implement deep sanitization in Sandbox.ts to strip internal references from any values returned to the host.
• Freeze or seal the global scope objects (`options.globals` and `scope.allVars`) after construction to prevent mutation via leaked references.

These steps help prevent untrusted sandboxed code from accessing or modifying variables outside its intended scope.

Useful 0 Not Useful 0