CVE-2026-25117
Unknown Unknown - Not Provided
Sandbox Escape via Arbitrary JavaScript Injection in pwn.college DOJO

Publication date: 2026-01-29

Last updated on: 2026-01-29

Assigner: GitHub, Inc.

Description
pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pwn.college dojo e33da14449a5abcff507e554f66e2141d6683b0a
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in pwn.college DOJO occurs because of missing sandboxing on the /workspace/* routes, which allows challenge authors to inject arbitrary JavaScript that runs with the same origin as http://dojo.website. This sandbox escape enables the injected JavaScript to execute any actions that the user could perform, potentially leading to dangerous consequences. The issue was fixed in commit e33da14449a5abcff507e554f66e2141d6683b0a.

Impact Analysis

This vulnerability can impact you by allowing an attacker (challenge author) to execute arbitrary JavaScript in the context of the dojo.website origin. This means the attacker can perform any actions that the user is capable of, potentially leading to unauthorized actions, data theft, or other malicious activities within the platform.

Mitigation Strategies

Update pwn.college DOJO to include the commit e33da14449a5abcff507e554f66e2141d6683b0a or later, which patches the missing sandboxing on `/workspace/*` routes and prevents arbitrary JavaScript execution from challenge authors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart