CVE-2026-25117
📋 TL;DR
This CVE describes a sandbox escape vulnerability in pwn.college DOJO education platform where challenge authors could inject arbitrary JavaScript that runs with the same origin privileges as the main dojo.website domain. This allows malicious challenge authors to execute any actions that authenticated users could perform, potentially compromising user accounts and platform integrity.
💻 Affected Systems
- pwn.college DOJO
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Challenge authors could steal user credentials, hijack user sessions, manipulate challenge solutions, exfiltrate sensitive data, or perform administrative actions on the platform.
Likely Case
Challenge authors could manipulate challenge outcomes, steal user tokens or cookies, and potentially access other users' workspace data.
If Mitigated
With proper sandboxing and content security policies, JavaScript execution would be isolated and unable to access the main application origin.
🎯 Exploit Status
Exploitation requires challenge author privileges, but the vulnerability itself is straightforward once those privileges are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit e33da14449a5abcff507e554f66e2141d6683b0a
Vendor Advisory: https://github.com/pwncollege/dojo/security/advisories/GHSA-wvcf-9xm8-7mrg
Restart Required: Yes
Instructions:
1. Update to commit e33da14449a5abcff507e554f66e2141d6683b0a or later. 2. Restart the DOJO application. 3. Verify sandboxing is properly implemented on /workspace/* routes.
🔧 Temporary Workarounds
Disable challenge author functionality
allTemporarily disable the ability for users to create and run custom challenges until patched.
# Configuration dependent - modify DOJO settings to disable challenge authoring
Implement strict CSP headers
allAdd Content Security Policy headers to isolate /workspace/* routes from main application origin.
# Add to web server configuration: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement network segmentation to isolate the DOJO platform from other critical systems
- Enable detailed logging and monitoring of all /workspace/* route access and JavaScript execution
🔍 How to Verify
Check if Vulnerable:
Check if your DOJO instance is running a version prior to commit e33da14449a5abcff507e554f66e2141d6683b0aCheck Version:
git log --oneline -1Verify Fix Applied:
Verify the commit hash includes e33da14449a5abcff507e554f66e2141d6683b0a and test that JavaScript in /workspace/* routes cannot access the main application origin📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns in /workspace/* routes
- Cross-origin requests from workspace domains to main application
Network Indicators:
- JavaScript payloads attempting to access parent windows or cross-origin resources
- Unexpected POST/GET requests from workspace contexts to sensitive endpoints
SIEM Query:
source="dojo_access_logs" AND (uri_path="/workspace/*" AND (event="javascript_execution" OR event="cross_origin_request"))