KanaDojo before 0.1.18 contains a sandbox escape...
High severity
Unreviewed
Published
Jun 11, 2026
to the GitHub Advisory Database
•
Updated Jun 11, 2026
Description
Published by the National Vulnerability Database
Jun 11, 2026
Published to the GitHub Advisory Database
Jun 11, 2026
Last updated
Jun 11, 2026
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.
References