Cyber Resilience

CVE-2024-28189

Critical

Published: 18 April 2024

Published
18 April 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5758 98.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28189 is a critical-severity Link Following (CWE-59) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Judge0 is an open-source online code execution system that runs untrusted code inside an isolated sandbox. The vulnerability exists in the isolate_job component, which invokes the UNIX chown command directly on a file path supplied by user code without first resolving or validating symbolic links. This allows an attacker to supply a symlink that points outside the sandbox, causing chown to operate on arbitrary files on the host filesystem. The issue is tracked as CWE-59 and CWE-61 and was assigned a CVSS score of 10.0.

An unauthenticated remote attacker who can submit code to a Judge0 instance can create the malicious symlink and thereby change ownership of files outside the sandbox. Although the flaw has limited direct impact, it can be chained with the earlier CVE-2024-28185 to fully escape the sandbox and obtain arbitrary code execution on the host. Exploitation requires no special privileges or user interaction.

The vulnerability is fixed in Judge0 version 1.13.1. The project’s security advisories GHSA-3xpw-36v7-2cmg and GHSA-h9g2-45c8-89cf, along with the corresponding commit, describe the symlink-handling flaw and confirm that the chown operation was updated to prevent traversal outside the sandbox. The EPSS score has remained at 0.5758 with no material increase since disclosure.

EU & UK References

Vulnerability details

Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing…

more

the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References