CVE-2026-32723
MEDIUMSandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)
Title source: cnaDescription
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r
X_Refsource_Misc x_refsource_misc
https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29
Scores
CVSS v3
4.7
EPSS
0.0001
EPSS Percentile
0.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-362
Status
published
Products (3)
nyariv/sandboxjs
< 0.8.35
nyariv/sandboxjs
0 - 0.8.35npm
nyariv/SandboxJS
< 0.8.35
Published
Mar 18, 2026
Tracked Since
Mar 19, 2026