Exposure of Resource to Wrong Sphere in @nyariv/sandboxjs | CVE-2026-34217

Q: How to fix?

Upgrade @nyariv/sandboxjs to version 0.8.36 or higher.

Introduced: 3 Apr 2026

NewCVE-2026-34217 (opens in a new tab) CWE-668 (opens in a new tab)

How to fix?

Upgrade @nyariv/sandboxjs to version 0.8.36 or higher.

Overview

@nyariv/sandboxjs is a Javascript sandboxing library.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the New handler due to missing sanitization of both constructor arguments and return values. An attacker can access and modify internal interpreter objects, including scope variables outside the intended sandbox, by passing specially crafted arguments that leak references to protected objects. This is only exploitable if the host application reads the return value from the sandbox execution, which is the standard and documented usage pattern.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Exposure of Resource to Wrong Sphere Affecting @nyariv/sandboxjs package, versions <0.8.36

Severity

Do your applications use this vulnerable package?

Introduced: 3 Apr 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk