CVE-2026-25117
Sandbox Escape via Arbitrary JavaScript Injection in pwn.college DOJO
Publication date: 2026-01-29
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pwn.college | dojo | e33da14449a5abcff507e554f66e2141d6683b0a |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in pwn.college DOJO occurs because of missing sandboxing on the /workspace/* routes, which allows challenge authors to inject arbitrary JavaScript that runs with the same origin as http://dojo.website. This sandbox escape enables the injected JavaScript to execute any actions that the user could perform, potentially leading to dangerous consequences. The issue was fixed in commit e33da14449a5abcff507e554f66e2141d6683b0a.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker (challenge author) to execute arbitrary JavaScript in the context of the dojo.website origin. This means the attacker can perform any actions that the user is capable of, potentially leading to unauthorized actions, data theft, or other malicious activities within the platform.
What immediate steps should I take to mitigate this vulnerability?
Update pwn.college DOJO to include the commit e33da14449a5abcff507e554f66e2141d6683b0a or later, which patches the missing sandboxing on `/workspace/*` routes and prevents arbitrary JavaScript execution from challenge authors.