@nyariv SandboxJS Denial-of-Service Vulnerability via Unbounded Recursion in Expression Parsing

A denial-of-service vulnerability has been identified in the @nyariv/sandboxjs library, prior to version 0.8.36. The issue arises from unbounded recursion in the expression parsing functions, which can be exploited by supplying deeply nested expressions, such as approximately 2000 nested parentheses. This leads to a RangeError: Maximum call stack size exceeded, causing the Node.js process to crash. The vulnerability is particularly impactful because SandboxJS is designed to safely execute untrusted JavaScript, making it vulnerable in its intended use case.

Impact

Exploitation of this vulnerability causes a RangeError that crashes the Node.js process, terminating any ongoing requests. In a server environment, this can disrupt the entire service.

Reproduction

The vulnerability can be reproduced by installing the @nyariv/sandboxjs package and using the Sandbox.compile() method to process deeply nested expressions. This can be done by creating a JavaScript file that constructs a string with 2000 nested parentheses or array brackets and then compiles it using SandboxJS. The resulting error message will indicate a crash due to exceeding the maximum call stack size.

Remediation

Users are advised to update to @nyariv/sandboxjs version 0.8.36 or later, where this vulnerability has been fixed.