CVE-2024-29021

SSRF into Sandbox Escape through Unsafe Default Configuration

CVSS 9.1 CRITICALEPSS 20.2%CWE-1393 CWE-918

In short

Judge0's default setup allows attackers to escape its sandbox through a web request trick (SSRF), letting them run code with root privileges on the server. This is critical because it completely bypasses the security isolation that protects the system.

Technical detail

A Server-Side Request Forgery (CWE-918) vulnerability in Judge0's default configuration enables sandbox escape (CWE-1393) through unsafe internal request handling. An authenticated attacker can exploit this to achieve arbitrary code execution as root. The vulnerability stems from insufficient isolation between the SSRF attack surface and the containerized execution environment, affecting versions prior to 1.13.1.

Summary generated and translated by AI from the official description.

Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code execution as root on the target machine. This vulnerability is fixed in 1.13.1.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

judge0 · judge0

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230 https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr