CVE-2026-34217: SandboxJS: Sandbox Escape via Prop Object Leak in New Handler

April 3, 2026 (updated April 6, 2026)

A scope modification vulnerability exists in @nyariv/sandboxjs version 0.8.35 and below. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution.

References

github.com/advisories/GHSA-hg73-4w7g-q96w
github.com/nyariv/SandboxJS
github.com/nyariv/SandboxJS/commit/abc02f657279e51a4aaad2bc8f99f3e37a01b287
github.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w
nvd.nist.gov/vuln/detail/CVE-2026-34217

Code Behaviors & Features

Detect and mitigate CVE-2026-34217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →