CVE-2024-28189

Name of the Vulnerable Software and Affected Versions Judge0 versions prior to 1.13.1

Description The issue arises from the application's use of the UNIX chown command on an untrusted file within the sandbox. An attacker can exploit this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This can be used to bypass a previous patch and obtain a complete sandbox escape.

Recommendations For versions prior to 1.13.1, update to version 1.13.1 to resolve the issue. As a temporary workaround, consider restricting the use of the chown command within the sandbox until the update is applied.