CVE-2026-34208

CVE-2026-34208 affects SandboxJS, an open-source JavaScript sandboxing library, in versions prior to 0.8.36. The vulnerability stems from inadequate protection against indirect mutations of host global objects. While SandboxJS blocks direct assignments to globals like Math.random, attackers can bypass this via an exposed callable constructor path: this.constructor.call(target, attackerObject). Here, this.constructor resolves to the internal SandboxGlobal function, and since Function.prototype.call is permitted, malicious code can arbitrarily write properties into the host environment's global objects.

Any attacker with code execution inside a SandboxJS sandbox can exploit this remotely over a network with low complexity, no privileges, and no user interaction required, as indicated by the CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L). Successful exploitation allows writing arbitrary properties to host global objects, with these mutations persisting across multiple sandbox instances in the same process. This grants high-impact confidentiality and integrity violations, plus low availability impact, potentially enabling privilege escalation, data exfiltration, or corruption of shared state in multi-tenant or sandboxed JavaScript environments.

The GitHub Security Advisory (GHSA-2gg9-6p7w-6cpj) confirms the issue and states that it is fixed in SandboxJS version 0.8.36. Security practitioners should upgrade to 0.8.36 or later, review sandbox usage for exposed constructor paths, and audit applications relying on SandboxJS for isolation in Node.js or browser contexts. The vulnerability maps to CWE-693 (Protection Mechanism Failure) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).