A critical sandbox escape in Grist-Core allows a single malicious spreadsheet formula to break out of the Pyodide WebAssembly sandbox and achieve remote code execution on the host. Cyera Research Labs disclosed the CVSS 9.1 flaw and Grist patched it in version 1.7.9 by running Pyodide under Deno with permission-based isolation, and operators are urged to upgrade promptly. #GristCore #Pyodide #CyeraResearchLabs #Deno
Keypoints
- A malicious spreadsheet formula can escape Grist-Coreβs Pyodide sandbox to execute OS commands or host JavaScript.
- The exploit leverages Pythonβs object model, ctypes, and exposed Emscripten runtime hooks to traverse unintended paths.
- Cyera Research Labs reported the issue, which received a CVSS score of 9.1 and was fixed in Grist 1.7.9.
- SaaS deployments increase the blast radius because a sandbox escape can compromise vendor-operated control planes and multiple tenants.
- Administrators should upgrade to the patched release, avoid bypassing Deno, and treat formula execution as a privileged capability.
Read More: https://www.infosecurity-magazine.com/news/pyodide-sandbox-escape-rce-grist/