CVE-2026-32723: SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers

March 16, 2026 (updated March 19, 2026)

Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 (no /Users/zwique/Downloads/SandboxJS found). A global tick state (currentTicks.current) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox’s tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite currentTicks.current between scheduling and execution, causing the timer callback to run under a different sandbox’s tick budget and bypass the original sandbox’s execution quota/watchdog.

Impact: execution quota bypass → CPU/resource abuse

References

Code Behaviors & Features

Detect and mitigate CVE-2026-32723 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →