Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)
Vulnerability Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue.
CVSS Information
N/A
Vulnerability Type
使用共享资源的并发执行不恰当同步问题(竞争条件)
Vulnerability Title
SandboxJS 竞争条件问题漏洞
Vulnerability Description
SandboxJS是nyariv个人开发者的一个安全评估软件。 SandboxJS 0.8.35之前版本存在竞争条件问题漏洞,该漏洞源于计时器存在执行配额绕过问题,可能导致多租户场景中计时器回调在不同沙箱的滴答预算下运行,绕过原始沙箱的执行配额。
CVSS Information
N/A
Vulnerability Type
N/A