CVE-2026-32723

UNKNOWN 0.0

SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue.

CWE	CWE-362
Vendor	nyariv
Product	sandboxjs
Published	Mar 18, 2026
Last Updated	Mar 19, 2026

Stay Ahead of the Next One

Get instant alerts for nyariv sandboxjs

Be the first to know when new unknown vulnerabilities affecting nyariv sandboxjs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nyariv / SandboxJS

< 0.8.35

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r github.com: https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29