Critical Judge0 Flaws Expose Online Coding Platforms to Full System Takeovers
A series of serious vulnerabilities in Judge0, a widely-used online code execution system, could have devastating consequences for competitive programming sites, e-learning platforms, and any service that relies on secure code evaluation.
Three vulnerabilities (CVE-2024-29021, CVE-2024-28185, CVE-2024-28189) affecting Judge0 versions 1.13.0 and earlier have the potential to lead to complete system compromises. Successful exploitation could allow attackers to:
- Escape the sandbox environment where code is analyzed
- Execute malicious code on the server hosting Judge0
- Potentially gain full administrative control of the system
The Danger Within
-
SSRF to Sandbox Escape: (CVE-2024-29021, CVSS 9.1) Default configurations in Judge0, along with lax password protection, leave the door open for Server-Side Request Forgery (SSRF) attacks. An attacker can use this to break out of the sandbox, leading to code execution as a root user on the Docker container.
-
Symbolic Links: The Key to Escape (CVE-2024-28185 and CVE-2024-28189) Attackers can exploit the way Judge0 handles symbolic links. By cleverly creating symlinks to files outside the sandbox environment, attackers can not only rewrite arbitrary files but also completely bypass patches designed to fix earlier vulnerabilities. Both flaws have a CVSS score of 10.
Domino Effect: From Sandbox to Server
The risk escalates due to Judge0’s Docker container often running with privileged access. Once outside the sandbox, attackers can compromise the entire host system. This means unfettered access to sensitive databases, internal networks, and potentially other critical applications hosted on the same machine.
Who’s At Risk?
Any platform that uses Judge0 for online code execution is vulnerable. This includes:
- Competitive Programming Sites: Compromise could allow attackers to leak problem sets, manipulate scores, or disrupt events entirely.
- E-learning Platforms: Attackers could steal educational content, disrupt courses, or tamper with student records.
- Recruitment Platforms: Used to assess candidates, a breach could expose confidential resumes or give attackers an unfair advantage.
Act Now: Patch and Protect
Organizations using Judge0 must immediately update to version 1.13.1 or later, which contains the necessary fixes. Additionally, here’s how to strengthen your defense:
- Review Configurations: Ensure secure configuration settings are in place. Pay close attention to the
ALLOW_ENABLE_NETWORK
flag and enforce strong database passwords. - Principle of Least Privilege: Limit the permissions granted to the Judge0 Docker container. If possible, avoid running it with full root privileges.
- Monitor for Compromise: Review system logs for signs of unauthorized activity or suspicious file system changes.
The Importance of Secure Code Execution
The Judge0 case reinforces the need for robust security practices around code execution systems. The ability to safely analyze untrusted code is crucial for many online services. Developers and organizations using these platforms must prioritize patching, secure configurations, and continuous monitoring to prevent exploitation.