CVE-2026-32723 is a concurrency-related vulnerability classified under CWE-362 (Race Condition) affecting the SandboxJS library, a tool used to sandbox JavaScript code execution. The root cause lies in the improper synchronization of a global tick state variable (`currentTicks.current`) that is shared across multiple sandbox instances. When timers are scheduled, their string handlers are compiled using this global tick state rather than the sandbox-specific tick object. In environments where multiple sandboxes run concurrently (multi-tenant scenarios), a race condition can occur: between the scheduling of a timer and its execution, another sandbox can overwrite the global tick state. This causes the timer callback to execute under a different sandbox's tick budget, effectively bypassing the original sandbox's execution quota or watchdog timer. This flaw undermines the isolation guarantees of SandboxJS by allowing a sandboxed script to consume more execution time than intended, potentially leading to denial of service or unauthorized code execution beyond imposed limits. The vulnerability affects all versions of SandboxJS prior to 0.8.35, where the issue has been addressed by properly isolating the tick state per sandbox instance. The CVSS 4.0 base score is 4.8 (medium severity), reflecting the local attack vector, low complexity, and limited impact on availability. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the potential bypass of execution quotas or watchdog timers within SandboxJS environments, which can lead to sandbox escape scenarios or denial of service conditions. In multi-tenant or concurrent sandbox deployments, an attacker controlling one sandbox could manipulate the global tick state to extend their execution time beyond intended limits, potentially exhausting system resources or interfering with other tenants. This undermines the security guarantees of sandboxing, which is critical for safely running untrusted JavaScript code. Organizations relying on SandboxJS for isolating code execution—such as cloud service providers, SaaS platforms, or development tools—may face increased risk of resource exhaustion, degraded service availability, or unauthorized code execution if they use vulnerable versions. Although the vulnerability does not directly allow remote code execution or privilege escalation, the ability to bypass execution quotas can facilitate further attacks or disrupt normal operations.

To mitigate this vulnerability, organizations should upgrade all SandboxJS deployments to version 0.8.35 or later, where the global tick state is properly isolated per sandbox instance, eliminating the race condition. For environments where immediate upgrading is not feasible, consider implementing strict process or container isolation between sandbox instances to prevent shared memory or state interference. Additionally, monitor sandbox execution times and resource usage for anomalies that may indicate exploitation attempts. Avoid running multiple sandboxes concurrently in the same process space without proper synchronization mechanisms. Security teams should review their sandboxing architecture to ensure that shared global states are minimized or eliminated. Finally, maintain up-to-date dependency management practices to promptly apply security patches for third-party libraries like SandboxJS.