CVE-2026-32723 in SandboxJS
Summary
by MITRE • 03/19/2026
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-32723 affects SandboxJS, a JavaScript sandboxing library designed to provide isolated execution environments for untrusted code. This security flaw represents a critical bypass of the sandbox's execution quota mechanism, fundamentally undermining the isolation guarantees that sandboxing is intended to provide. The issue stems from a design flaw in how timer execution quotas are managed across multiple concurrent sandbox instances, creating a race condition that allows malicious actors to circumvent resource limitations imposed on individual sandboxes.
The technical root cause of this vulnerability lies in the improper management of global state within the sandboxing framework. Specifically, the global tick state variable `currentTicks.current` serves as a shared reference point between different sandbox instances rather than maintaining separate tick objects for each isolated execution environment. When timers are scheduled within a sandbox, their string handlers are compiled using this global tick state reference. However, during the time interval between when a timer is scheduled and when it actually executes, concurrent sandbox operations can modify the global `currentTicks.current` value, causing the timer callback to execute under a different sandbox's tick budget context rather than the originally intended one. This race condition directly violates the fundamental principle of sandbox isolation where each execution context should maintain its own resource constraints and execution limits.
The operational impact of this vulnerability in multi-tenant or concurrent sandbox scenarios is severe and potentially exploitable. In environments where multiple untrusted code fragments execute simultaneously within the same application process, an attacker could craft malicious code that schedules timers to execute after another sandbox has modified the global tick state. This timing manipulation allows the timer callback to bypass the original sandbox's execution quota, effectively enabling unlimited execution time within that sandbox. The vulnerability particularly affects applications that rely on sandboxing for security boundaries, such as code execution platforms, serverless computing environments, or any system where untrusted JavaScript code must be executed in isolated contexts while maintaining resource consumption limits.
This vulnerability maps to CWE-367, which addresses Time-of-Check Time-of-Use (TOCTOU) flaws, and represents a specific instance of improper resource management in concurrent execution environments. From an ATT&CK perspective, this weakness falls under T1059.007 for JavaScript execution and could enable techniques such as privilege escalation through resource exhaustion or denial of service via bypassing execution limits. The fix implemented in version 0.8.35 addresses this by ensuring that each sandbox maintains its own isolated tick state rather than relying on global shared state for timer execution context, thereby preventing the cross-contamination of execution quotas between different sandbox instances.
Organizations using SandboxJS should immediately upgrade to version 0.8.35 or later to remediate this vulnerability. Additionally, administrators should consider implementing additional monitoring for abnormal execution patterns that might indicate exploitation attempts, particularly in multi-tenant environments where multiple sandboxes are actively processing timer events. The vulnerability highlights the importance of careful state management in concurrent systems and serves as a reminder that shared global state can create security boundaries that are easily bypassed in complex execution environments. Security teams should also review their sandboxing implementations to ensure that similar race conditions or state sharing issues do not exist in other components of their security architecture.