Judge0 Critical Security Flaws: Sandbox Escape Vulnerabilities and Root Permissions Risks

In a recent report by Australian cybersecurity firm Tanto Security, it has been revealed that multiple critical security flaws have been identified in the Judge0 open-source online code execution system. These vulnerabilities could potentially allow an attacker to execute code on the target system.

The flaws, reported by Daniel Cooper in March 2024, include CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, with severity scores ranging from 9.1 to 10.0. These vulnerabilities stem from issues such as bypassing security measures and leaving the service vulnerable to Server-Side Request Forgery (SSRF) attacks.

One of the critical vulnerabilities, CVE-2024-28185, allows an attacker to write to arbitrary files and gain code execution outside of the sandbox. Another flaw, CVE-2024-28189, involves the potential misuse of symbolic links to run chown commands on arbitrary files outside of the sandbox.

The most serious vulnerability, CVE-2024-29021, allows an attacker to escape the sandbox via SSRF and obtain unsandboxed code execution as root on the target machine. This flaw could lead to complete control over the system, including the database, internal networks, and other applications running on the host.

The maintainers of Judge0 have addressed these vulnerabilities in version 1.13.1 released on April 18, 2024. Users are strongly advised to update to the latest version to mitigate any potential risks posed by these security flaws.

This development underscores the importance of regular security updates and maintenance to ensure the integrity and security of online systems. It also highlights the critical role of responsible disclosure in addressing and resolving vulnerabilities in a timely manner.