{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32723", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.625Z", "datePublished": "2026-03-18T21:27:35.349Z", "dateUpdated": "2026-03-19T15:51:43.598Z"}, "containers": {"cna": {"title": "SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r"}, {"name": "https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29", "tags": ["x_refsource_MISC"], "url": "https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29"}], "affected": [{"vendor": "nyariv", "product": "SandboxJS", "versions": [{"version": "< 0.8.35", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T21:27:35.349Z"}, "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue."}], "source": {"advisory": "GHSA-7p5m-xrh7-769r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T15:51:03.535740Z", "id": "CVE-2026-32723", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T15:51:43.598Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32723", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T15:51:03.535740Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T15:51:28.897Z"}}], "cna": {"title": "SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)", "source": {"advisory": "GHSA-7p5m-xrh7-769r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nyariv", "product": "SandboxJS", "versions": [{"status": "affected", "version": "< 0.8.35"}]}], "references": [{"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r", "name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29", "name": "https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T21:27:35.349Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32723", "state": "PUBLISHED", "dateUpdated": "2026-03-19T15:51:43.598Z", "dateReserved": "2026-03-13T15:02:00.625Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T21:27:35.349Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A637641C-852B-4CD3-BCA0-7B4CCF47E687", "versionEndExcluding": "0.8.35", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue."}], "id": "CVE-2026-32723", "lastModified": "2026-03-19T19:20:39.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T22:16:24.827", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.35)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SandboxJS", "source": "cna", "vendor": "nyariv"}, "product": "sandboxjs", "vendor": "nyariv"}], "analysis": {"en": {"generated_at": "2026-03-19T20:22:18.603825+00:00", "value": {"mitigation_remediation": ["Upgrade SandboxJS to version 0.8.35 or later."], "summary": {"action": "Patch", "impact": "Execution-Quota Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the JavaScript sandboxing library SandboxJS from vendor nyariv. All releases prior to version 0.8.35 are impacted. The affected version range is 0.8.33, 0.8.34, and earlier.", "description_and_impact": "SandboxJS timers were implemented such that a global tick state (`currentTicks.current`) is shared across all sandboxes. Timer string handlers are compiled at execution time using this global tick value instead of the individual sandbox\u2019s tick object. When multiple sandboxes are active concurrently, a sandbox can overwrite the global tick between scheduling a timer and its execution, causing the timer callback to run under a different sandbox\u2019s tick budget and thereby bypass the original sandbox\u2019s execution quota or watchdog. This race condition (CWE-362) allows the affected sandbox to execute code beyond its intended resource limits, potentially leading to denial\u2011of\u2011service or sandbox escape within the JavaScript environment.", "risk_and_exploitability": "The CVSS score is 4.8 (medium), reflecting the partial impact on security provided by a sandboxed environment. EPSS indicates a very low probability of exploitation (<1%). The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector involves a multi\u2011tenant or concurrent sandbox scenario where an attacker can create another sandbox that manipulates the shared tick state. Successful exploitation would allow the attacker to cause another sandbox to execute code beyond its allocated quota, potentially resulting in resource exhaustion or privilege escalation within the sandboxed context. The requirement for concurrent sandbox activity reduces the overall threat level, but the impact remains significant if the conditions are met."}}}}, "created": "2026-03-19T08:55:25.077675+00:00", "updated": "2026-03-25T11:52:07.724439+00:00", "vendors": ["nyariv", "nyariv$PRODUCT$sandboxjs"]}