CVE-2022-36065 is a medium-severity path traversal vulnerability affecting GrowthBook, an open-source platform used for feature flagging and A/B testing. The vulnerability exists in self-hosted GrowthBook deployments prior to the 2022-08-29 patch. It arises when the application is configured to allow local file uploads (instead of cloud storage options like S3 or Google Cloud Storage), and the environment variables NODE_ENV is set to a non-production value, and JWT_SECRET is set to a weak or guessable string such as 'dev'. Under these conditions, an attacker can register a new account and exploit the path traversal flaw to upload files to arbitrary directories within the container hosting GrowthBook. By uploading a malicious Python script to a suitable location, the attacker can achieve arbitrary code execution within the container environment. This can lead to full compromise of the containerized application instance. The vulnerability is rooted in improper limitation of pathname to restricted directories (CWE-22) and path traversal (CWE-24). The issue was patched in the commit dated 2022-08-29, which restricts file upload paths and improves authentication controls. As a temporary mitigation, setting JWT_SECRET to a strong, random string can prevent arbitrary file uploads, but it does not prevent attackers from registering new accounts, so updating to the latest patched version is strongly recommended. There are no known exploits in the wild as of the publication date, but the conditions for exploitation require a combination of misconfigurations and vulnerable versions, which could be present in some self-hosted GrowthBook deployments.

For European organizations using self-hosted GrowthBook instances with vulnerable versions and configurations, this vulnerability poses a significant risk. Successful exploitation can lead to arbitrary code execution within the container, potentially allowing attackers to escalate privileges, move laterally within internal networks, exfiltrate sensitive data, or disrupt services. Since GrowthBook is often used to manage feature flags and A/B testing, compromise could also lead to manipulation of application behavior, impacting business logic and user experience. The impact on confidentiality, integrity, and availability depends on the deployment context but could be severe if the container has access to sensitive data or internal systems. Given that the vulnerability requires self-hosted deployments with specific insecure configurations, cloud-hosted GrowthBook users are not affected. However, organizations that have not hardened environment variables or use local file uploads remain at risk. The medium severity rating reflects the need for multiple conditions for exploitation, but the potential for arbitrary code execution elevates the threat level. European organizations in sectors with high reliance on software development and feature management platforms, such as technology firms, financial services, and e-commerce, could be particularly impacted.

1. Immediate update: Organizations should upgrade all self-hosted GrowthBook instances to the patched version released on or after 2022-08-29 to fully remediate the vulnerability. 2. Environment hardening: Ensure NODE_ENV is set to 'production' to disable development-specific behaviors that facilitate exploitation. 3. Secure JWT_SECRET: Replace any weak or default JWT_SECRET values with long, cryptographically strong random strings to prevent unauthorized file uploads. 4. Storage configuration: Prefer cloud storage options (e.g., S3, Google Cloud Storage) for file uploads instead of local file storage to reduce attack surface. 5. Account registration controls: Implement additional controls on user registration, such as CAPTCHA, email verification, or IP rate limiting, to prevent automated or malicious account creation. 6. Container isolation: Run GrowthBook containers with least privilege, restricting filesystem and network access to limit the impact of potential code execution. 7. Monitoring and logging: Enable detailed logging and monitor for suspicious file upload activity or unauthorized account registrations to detect exploitation attempts early. 8. Incident response planning: Prepare to respond to potential compromises by having backups, forensic capabilities, and remediation procedures in place.