CVE-2026-32723

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.35

Description SandboxJS, a JavaScript sandboxing library, has an issue where timers can bypass execution quotas. A global tick state (currentTicks.current) is shared between sandboxes. Timer string handlers are compiled at execution time using this global tick state instead of the scheduling sandbox's tick object. In multi-tenant or concurrent sandbox scenarios, another sandbox can overwrite currentTicks.current between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota. This can lead to CPU or resource abuse. The issue is due to the global mutable state shared across all sandbox instances. The currentTicks.current variable is used during timer compilation, and if modified by another sandbox, the timer can execute with an incorrect tick budget. A proof of concept demonstrates that a heavy loop can complete and bypass the quota when another sandbox runs before the timer fires. This impacts applications running multiple SandboxJS instances concurrently, such as multi-tenant interpreters, plugin engines, and server-side scripting hosts.

Recommendations Versions prior to 0.8.35 should be updated to version 0.8.35 or later.