CVE-2026-34211

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.36

Description The @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. The root cause is in src/parser.ts, specifically in the restOfExp function (line 443) and the lispify and lispifyExpr functions. The vulnerability is triggered by the lack of a depth limit in the recursive calls. All public API methods (Sandbox.parse(), Sandbox.compile(), Sandbox.compileAsync(), Sandbox.compileExpression(), Sandbox.compileExpressionAsync()) are affected as they pass user input directly to parse() without input validation or depth limiting. A RangeError: Maximum call stack size exceeded in Node.js crashes the current execution context and can crash the entire process in synchronous server applications. The vulnerability allows for denial of service by crashing the host Node.js process with a single crafted input string.

Recommendations Add a depth parameter to restOfExp and throw a ParseError when a maximum depth is exceeded. Similarly, add depth tracking to lispify and lispifyExpr.