CRITICAL🇵🇱 Wersja polska

CVE-2024-28185

CVSS 10.0v3.1pub. 2024-04-18upd. 2026-04-15

Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.

🤖 AI Analysis
How it works

During execution of submitted code, Judge0 writes a `run_script` file to the sandbox directory. An attacker can place a symbolic link (symlink) with the name `run_script` in this directory before this step, pointing to any file on the host system outside the sandbox. As a result, the write operation (`f.write`) targets the file indicated by the symlink on the unprotected system, making it possible to overwrite critical scripts and hijack code execution outside the isolated environment. The vulnerability stems from a lack of verification that the target write path is not a symbolic link (CWE-59, CWE-61).

Impact

An attacker can overwrite arbitrary files on the host system and execute code outside the sandbox, which in practice means full takeover of the server running Judge0, including the possibility of privilege escalation and permanent system compromise.

Mitigation & patch

Patches available from the vendor should be applied — commit 846d5839026161bb299b7a35fd3b2afb107992fc in the judge0/judge0 GitHub repository addresses this vulnerability. It is recommended to update to a version containing this fix and restrict access to the Judge0 instance only to trusted users until the patch is deployed.

Who is affected

Judge0 in version v1.13.0 and earlier — details indicated in vendor references (GitHub Security Advisory GHSA-h9g2-45c8-89cf)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References