SandboxJS Execution-Quota Bypass Vulnerability

A vulnerability in SandboxJS versions prior to 0.8.35 allows for an execution-quota bypass in the timer functionality. This issue arises because a global tick state is shared between sandboxes, leading to a race condition. Timer handlers are compiled at execution time using this global state, rather than the tick object of the scheduling sandbox. In multi-tenant or concurrent sandbox scenarios, one sandbox can manipulate the global tick state between the scheduling and execution of a timer, causing the callback to run under a different sandbox's tick budget. This bypasses the original sandbox's execution quota, potentially leading to resource exhaustion or denial-of-service conditions.

Impact

Exploitation of this vulnerability allows for a runtime guard bypass, specifically circumventing execution quotas or watchdog timers. This could enable CPU-intensive operations or long-running computations, causing resource exhaustion or denial-of-service conditions on the host process or for other tenants in a multi-tenant environment.

Reproduction

To reproduce this vulnerability, create two sandboxes: Sandbox A and Sandbox B. Sandbox A should be configured with a limited execution quota. Schedule a heavy operation, such as a loop, using a timer in Sandbox A. Before the timer in Sandbox A executes, run a simple operation in Sandbox B. This will manipulate the global tick state. When the scheduled operation in Sandbox A finally runs, it will do so under the altered tick budget, effectively bypassing the execution quota.

Remediation

Users can update to SandboxJS version 0.8.35 or later, where this vulnerability has been fixed.