CVE-2026-34211: SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

April 3, 2026 (updated April 6, 2026)

The @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process.

References

github.com/advisories/GHSA-8pfc-jjgw-6g26
github.com/nyariv/SandboxJS
github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26
nvd.nist.gov/vuln/detail/CVE-2026-34211

Code Behaviors & Features

Detect and mitigate CVE-2026-34211 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →