Multiple critical security flaws in Judge0, an open-source online code execution system, were disclosed, allowing an adversary to perform a sandbox escape and gain root permissions on the host machine. The vulnerabilities include CVE-2024-28185 and CVE-2024-28189 which allow an attacker to write to arbitrary files outside the sandbox, and CVE-2024-29021 which allows for a sandbox escape via Server-Side Request Forgery (SSRF) to obtain unsandboxed code execution as root on the target machine. These flaws were discovered by Daniel Cooper in March 2024 and have been patched in version 1
13.1. Users are advised to update to the latest version to mitigate potential threats. The attacker could gain complete access to the Judge0 system, including the database, internal networks, web server, and other applications running on the host machine. This highlights the critical importance of promptly addressing and updating systems to protect against such vulnerabilities. https://thehackernews.com/2024/04/sandbox-escape-vulnerabilities-in.html