CVE-2026-34208

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.35

Description SandboxJS has a flaw where direct assignment to global objects is blocked, but this protection can be bypassed through a callable constructor path using this.constructor.call(target, attackerObject). This allows attacker code to write arbitrary properties into host global objects, persisting those changes across sandbox instances within the same process. The vulnerability arises because the dangerous write is performed internally by a host callable function, bypassing the intended write-time checks. An attacker can leverage this to modify host runtime state and potentially execute arbitrary code, as demonstrated by overwriting Math.random and executing commands via a host gadget. This is a sandbox integrity escape, allowing untrusted code to mutate host shared global objects despite global-write protections. These mutations can affect other requests, tenants, or subsequent sandbox runs, potentially leading to control-flow hijack in application logic.

Recommendations Update to SandboxJS version 0.8.35 or later.