DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25117: Class Is in Session: Escaping the pwn.college Sandbox via SOP Negligence

#security #cve #cybersecurity

Class Is in Session: Escaping the pwn.college Sandbox via SOP Negligence

Vulnerability ID: CVE-2026-25117
CVSS Score: 8.3
Published: 2026-01-29

A critical architectural flaw in the pwn.college DOJO platform allowed challenge authors to break out of their containerized environments and execute arbitrary JavaScript on the main application origin. By failing to enforce Origin isolation between the core platform and user-controlled workspaces, the application inadvertently granted 'root' access to the browser's trust model.

TL;DR

The pwn.college DOJO hosted user-controlled challenge workspaces on the same origin (dojo.website) as the main application. This allowed malicious challenge authors to serve JavaScript that the browser treated as trusted, enabling full account takeover via XSS. Fixed by moving workspaces to a separate subdomain and enforcing HMAC-signed routing.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-79 (XSS) / CWE-20 (Improper Input Validation)
  • Attack Vector: Network (User-Assisted)
  • CVSS v4.0: 8.3 (High)
  • Impact: Session Hijacking / Account Takeover
  • Exploit Status: Functional PoC Available
  • Patch: Commit e33da14

Affected Systems

  • pwn.college DOJO platform (Self-hosted)
  • pwn.college DOJO (Cloud instances)
  • dojo: < e33da14 (Fixed in: e33da14449a5abcff507e554f66e2141d6683b0a)

Code Analysis

Commit: e33da14

Fix workspace origin isolation and implement HMAC signature verification for routes

Diff too large to display inline; involves Nginx config and Python route handling changes.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Isolate user-generated content on a separate domain (e.g., from example.com to user-content.com).
  • Implement Content Security Policy (CSP) to restrict script execution sources.
  • Use HMAC signatures to verify authorization for dynamic resource access.

Remediation Steps:

  1. Update pwn.college DOJO to a version including commit e33da14449a5abcff507e554f66e2141d6683b0a.
  2. Configure the 'WORKSPACE_HOST' environment variable to a distinct subdomain or domain.
  3. Regenerate 'WORKSPACE_SECRET' to invalidate any previously signed URLs.
  4. Flush Nginx caches to ensure old routing rules are purged.

References

Read the full report for CVE-2026-25117 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)