CVE-2026-25117 is a vulnerability identified in the pwn.college DOJO platform, an educational cybersecurity environment. The root cause is improper input validation (CWE-20) combined with a lack of sandboxing on the /workspace/* routes, which are intended to isolate challenge code. Prior to the patch in commit e33da14449a5abcff507e554f66e2141d6683b0a, challenge authors could inject arbitrary JavaScript that executes in the same origin as http://dojo.website. This sandbox escape allows the injected script to perform any actions that the legitimate user could, including stealing session tokens, manipulating the DOM, or performing unauthorized actions within the platform. The vulnerability does not require authentication or privileges but does require user interaction to trigger the malicious payload. The CVSS 4.0 score is 8.3 (high), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality and moderate on integrity. No known exploits are reported in the wild yet. The vulnerability is categorized under CWE-20 (Improper Input Validation) and CWE-79 (Cross-site Scripting).

For European organizations, especially educational institutions and cybersecurity training centers using pwn.college DOJO, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to user sessions, data leakage, and manipulation of training environments, undermining the integrity of cybersecurity education. Since the platform is used to teach security concepts, a compromised environment could also be leveraged to distribute malicious payloads or mislead learners. The impact extends to loss of trust in the platform and potential exposure of sensitive user information. Given the network-exploitable nature and the high confidentiality impact, organizations could face reputational damage and compliance issues under GDPR if personal data is compromised.

The primary mitigation is to immediately update the pwn.college DOJO platform to the fixed version at commit e33da14449a5abcff507e554f66e2141d6683b0a or later. Additionally, organizations should restrict challenge author permissions to trusted users only and implement strict content security policies (CSP) to limit the execution of unauthorized scripts. Employing web application firewalls (WAF) with rules to detect and block suspicious JavaScript injections on /workspace/* routes can provide an additional layer of defense. Regular security audits and sandboxing verification should be conducted to ensure no regression occurs. User education about phishing and social engineering risks related to malicious challenges is also recommended. Monitoring logs for unusual activity related to challenge submissions can help detect exploitation attempts early.