CVE-2026-32723 Overview
SandboxJS is a JavaScript sandboxing library that provides execution isolation and quota enforcement for untrusted code. Prior to version 0.8.35, a race condition vulnerability exists in the timer execution mechanism where a global tick state (currentTicks.current) is shared between sandboxes. Timer string handlers are compiled at execution time using this global tick state rather than the scheduling sandbox's tick object. In multi-tenant or concurrent sandbox scenarios, another sandbox can overwrite currentTicks.current between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog.
Critical Impact
This race condition allows malicious code in one sandbox to consume another sandbox's execution quota, effectively bypassing resource isolation controls designed to prevent denial of service and resource abuse in multi-tenant JavaScript execution environments.
Affected Products
- nyariv sandboxjs (versions prior to 0.8.35)
- Node.js applications using SandboxJS for multi-tenant code execution
- Platforms implementing SandboxJS for untrusted JavaScript isolation
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32723 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32723
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Race Condition). The core issue lies in the architectural design of how SandboxJS manages execution quotas across concurrent sandboxes. The library uses a global currentTicks.current variable that tracks tick consumption for quota enforcement. When timer callbacks are scheduled, they should be bound to the originating sandbox's tick budget. However, the actual binding occurs at execution time rather than scheduling time, creating a Time-of-Check Time-of-Use (TOCTOU) window.
In multi-tenant deployments where multiple sandboxes execute concurrently, this shared mutable state allows one sandbox to manipulate the tick context before another sandbox's timer callback executes. The result is that resource-intensive operations can be charged to an unrelated sandbox's quota, undermining the fundamental isolation guarantees that sandbox environments are designed to provide.
Root Cause
The root cause is the use of shared global state (currentTicks.current) for tracking per-sandbox execution quotas. Timer string handlers dynamically reference this global variable during compilation and execution rather than capturing the sandbox-specific tick object at scheduling time. This violates the principle of proper resource isolation in multi-tenant systems, where each sandbox should maintain its own independent quota tracking that cannot be influenced by other sandboxes.
Attack Vector
The attack requires local access with low privileges and exploits the timing window between timer scheduling and execution. An attacker controlling one sandbox can schedule CPU-intensive operations timed to execute when currentTicks.current points to a victim sandbox's tick budget. The attack flow involves:
- Attacker schedules timer callbacks with resource-intensive payloads
- Attacker manipulates timing to align execution with victim sandbox's active tick context
- When the timer fires, the expensive operations consume the victim's quota instead of the attacker's
- This can lead to denial of service for the victim sandbox or allow the attacker to exceed their own quota limits
The security patch removes the direct import of currentTicks from executor.js in the evaluation module:
-import { createFunction, createFunctionAsync, currentTicks } from './executor.js';
+import { createFunction, createFunctionAsync } from './executor.js';
import parse, { Lisp, lispifyFunction } from './parser.js';
import { IExecContext, LispType, Ticks } from './utils.js';
Source: GitHub Commit Details
Detection Methods for CVE-2026-32723
Indicators of Compromise
- Unexpected quota exhaustion in sandboxes that should have ample remaining execution budget
- Timer callbacks executing with tick contexts mismatched from their originating sandbox
- Anomalous patterns of currentTicks.current modifications across concurrent sandbox boundaries
- Resource consumption metrics showing cross-sandbox attribution discrepancies
Detection Strategies
- Implement logging for tick state transitions to identify unexpected context switches during timer execution
- Monitor for sandboxes that consistently escape quota enforcement while others experience premature termination
- Audit application dependencies for SandboxJS versions below 0.8.35
- Deploy runtime monitoring for shared state access patterns in sandbox execution environments
Monitoring Recommendations
- Enable verbose logging for sandbox timer scheduling and execution events
- Track execution quota metrics per sandbox to identify statistical anomalies
- Implement alerts for sandbox quota bypass events or unexplained quota exhaustion
- Monitor npm dependency trees for vulnerable SandboxJS package versions
How to Mitigate CVE-2026-32723
Immediate Actions Required
- Upgrade SandboxJS to version 0.8.35 or later immediately
- Audit all applications using SandboxJS in multi-tenant or concurrent execution scenarios
- Review logs for evidence of quota bypass exploitation attempts
- Consider temporarily disabling timer functionality in sandboxes until patches can be applied
Patch Information
The fix is available in SandboxJS version 0.8.35. The patch modifies the timer execution mechanism to capture the sandbox-specific tick object at scheduling time rather than referencing the shared global state at execution time. This ensures each timer callback is bound to the correct sandbox's quota regardless of concurrent execution patterns.
For detailed patch information, refer to the GitHub Security Advisory GHSA-7p5m-xrh7-769r and the security patch commit.
Workarounds
- Avoid running multiple sandboxes concurrently in the same process until patching is complete
- Implement application-level quota enforcement as an additional defense layer
- Disable string-based timer handlers (setTimeout with string arguments) in sandboxed code
- Consider process-level isolation for high-security multi-tenant scenarios as a defense-in-depth measure
# Update SandboxJS to patched version
npm update sandboxjs@0.8.35
# Verify installed version
npm list sandboxjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
