SandboxJS timers were implemented such that a global tick state (`currentTicks.current`) is shared across all sandboxes. Timer string handlers are compiled at execution time using this global tick value instead of the individual sandbox’s tick object. When multiple sandboxes are active concurrently, a sandbox can overwrite the global tick between scheduling a timer and its execution, causing the timer callback to run under a different sandbox’s tick budget and thereby bypass the original sandbox’s execution quota or watchdog. This race condition (CWE-362) allows the affected sandbox to execute code beyond its intended resource limits, potentially leading to denial‑of‑service or sandbox escape within the JavaScript environment.

The vulnerability affects the JavaScript sandboxing library SandboxJS from vendor nyariv. All releases prior to version 0.8.35 are impacted. The affected version range is 0.8.33, 0.8.34, and earlier.

The CVSS score is 4.8 (medium), reflecting the partial impact on security provided by a sandboxed environment. EPSS indicates a very low probability of exploitation (<1%). The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves a multi‑tenant or concurrent sandbox scenario where an attacker can create another sandbox that manipulates the shared tick state. Successful exploitation would allow the attacker to cause another sandbox to execute code beyond its allocated quota, potentially resulting in resource exhaustion or privilege escalation within the sandboxed context. The requirement for concurrent sandbox activity reduces the overall threat level, but the impact remains significant if the conditions are met.