CVE-2026-32723— SandboxJS 竞争条件问题漏洞

SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue.

N/A

使用共享资源的并发执行不恰当同步问题(竞争条件)

SandboxJS 竞争条件问题漏洞

SandboxJS是nyariv个人开发者的一个安全评估软件。 SandboxJS 0.8.35之前版本存在竞争条件问题漏洞，该漏洞源于计时器存在执行配额绕过问题，可能导致多租户场景中计时器回调在不同沙箱的滴答预算下运行，绕过原始沙箱的执行配额。

N/A

N/A