CVE-2026-34208: SandboxJS: Sandbox integrity escape

April 3, 2026 (updated April 6, 2026)

SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process.

References

github.com/advisories/GHSA-2gg9-6p7w-6cpj
github.com/nyariv/SandboxJS
github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj
nvd.nist.gov/vuln/detail/CVE-2026-34208

Code Behaviors & Features

Detect and mitigate CVE-2026-34208 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →