OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.
The JavaScript rules engine executes user-supplied scripts by calling Nashorn ScriptEngine.eval() without any sandboxing, class filtering, or access restrictions. Permission checking in RulesResourceImpl restricts Groovy rules exclusively to superusers, while JavaScript rules are left unrestricted for any user with the write:rules role. Additionally, in the Groovy rules engine, the security filter GroovyDenyAllFilter defined is never registered because the registration code is commented out — thus the SandboxTransformer mechanism remains ineffective even for rules created by superusers.
An attacker without superuser privileges but with the write:rules role can remotely execute arbitrary code as root, read system files, steal environment variables (including database credentials), and completely bypass multi-tenant isolation, gaining access to data of all tenants (realms) in the platform.
OpenRemote should be updated to version 1.22.0 as soon as possible, where the vulnerability has been fixed. Details are available in the official release on GitHub (tag 1.22.0) and in security advisory GHSA-7mqr-33rv-p3mp.
OpenRemote in versions 1.21.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HOpenremote
APPOpenremote< 1.22.0
Related vulnerabilities
An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted G...
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import pat...
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin...