CVE-2026-25117 Overview
CVE-2026-25117 is a Cross-Site Scripting (XSS) vulnerability affecting pwn.college DOJO, an education platform for learning cybersecurity. The vulnerability stems from missing sandboxing on /workspace/* routes, allowing challenge authors to inject arbitrary JavaScript that executes on the same origin as the dojo website. This represents a sandbox escape vulnerability that enables arbitrary JavaScript execution within the application's trusted origin context.
Critical Impact
A malicious challenge author can craft pages that execute any dangerous actions that legitimate users could perform, potentially compromising user accounts and sensitive educational data.
Affected Products
- pwn.college DOJO (prior to commit e33da14449a5abcff507e554f66e2141d6683b0a)
Discovery Timeline
- 2026-01-29 - CVE CVE-2026-25117 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-25117
Vulnerability Analysis
This vulnerability is classified under CWE-20 (Improper Input Validation). The core issue lies in the application's failure to properly sandbox content served through the /workspace/* routes. In the pwn.college DOJO platform, workspace routes are designed to serve challenge-specific content. Without proper sandboxing mechanisms, any JavaScript embedded in challenge content executes within the same origin as the main dojo application.
This same-origin execution is particularly dangerous because it grants malicious scripts full access to the user's session, cookies, and the ability to perform any action the authenticated user is authorized to perform. In an educational platform context, this could include accessing student data, manipulating grades, or impersonating users.
Root Cause
The root cause is improper input validation and missing sandboxing on the /workspace/* routes. The application failed to isolate workspace content from the main application origin, allowing untrusted content from challenge authors to execute in a trusted context. The vulnerability fundamentally violates the principle of least privilege by granting challenge-authored content the same permissions as core application code.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker with challenge author privileges can craft malicious workspace content containing JavaScript payloads. When a victim user navigates to the compromised workspace route, the malicious JavaScript executes with full same-origin privileges. The attacker can then perform actions such as:
- Session hijacking through cookie theft
- Performing actions on behalf of the authenticated user
- Modifying user data or platform content
- Exfiltrating sensitive information
The security patch introduced workspace isolation through the addition of workspace_exclusive profile in the deployment configuration:
multi_node=$(jq 'length > 0' /data/workspace_nodes.json 2>/dev/null || echo "unknown")
if [ "$WORKSPACE_NODE" -gt 0 ]; then
profiles+=("workspace")
+ profiles+=("workspace_exclusive")
elif [ "$multi_node" == "true" ]; then
profiles+=("main")
else
Source: GitHub Commit
Detection Methods for CVE-2026-25117
Indicators of Compromise
- Unusual JavaScript execution patterns originating from /workspace/* routes
- Unexpected cross-origin requests initiated from workspace pages
- Anomalous session activity following user visits to workspace content
- JavaScript payloads embedded in challenge content that attempt DOM manipulation outside expected scope
Detection Strategies
- Monitor web application logs for suspicious requests to /workspace/* endpoints that return JavaScript content
- Implement Content Security Policy (CSP) violation reporting to detect unauthorized script execution
- Deploy browser-based XSS detection tools to identify malicious payload patterns
- Review challenge submissions for embedded JavaScript that interacts with session or authentication mechanisms
Monitoring Recommendations
- Enable detailed logging for all workspace route access with user context
- Implement real-time alerting for JavaScript execution anomalies on workspace pages
- Configure web application firewall rules to detect common XSS payload patterns
- Conduct regular security audits of challenge content submitted by authors
How to Mitigate CVE-2026-25117
Immediate Actions Required
- Upgrade pwn.college DOJO to commit e33da14449a5abcff507e554f66e2141d6683b0a or later immediately
- Review existing workspace content for potentially malicious JavaScript injections
- Audit challenge author accounts for suspicious activity
- Implement emergency CSP headers if immediate patching is not possible
Patch Information
The vulnerability is resolved in commit e33da14449a5abcff507e554f66e2141d6683b0a. The patch introduces proper workspace isolation by adding a workspace_exclusive profile to the deployment configuration, ensuring workspace content is sandboxed from the main application origin. For detailed patch information, see the GitHub Security Advisory and the commit details.
Workarounds
- Implement strict Content Security Policy headers to restrict script execution sources
- Temporarily disable workspace routes if patching is delayed
- Review and sanitize all existing challenge content before allowing user access
- Restrict challenge author privileges to trusted users only until patch is applied
# Example CSP header configuration for temporary mitigation
# Add to web server configuration
Content-Security-Policy: default-src 'self'; script-src 'self'; frame-ancestors 'self';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
