Windmill Code Injection Vulnerability in NativeTS Executor

A code injection vulnerability has been identified in Windmill versions prior to 1.664.0. This issue arises because workspace environment variable values are directly interpolated into JavaScript string literals in the NativeTS executor, without properly escaping single quotes. A workspace admin can exploit this by setting a custom environment variable that includes a single quote, allowing the injection of arbitrary JavaScript that executes in every NativeTS script within that workspace. The vulnerability exists in 'worker.rs' and is not related to sandboxing or NSJAIL.

Impact

Exploitation of this vulnerability allows a workspace admin to inject and execute arbitrary JavaScript in NativeTS scripts, potentially leading to unauthorized access to sensitive information such as JWT tokens and email addresses of users who run the scripts.

Reproduction

To reproduce this vulnerability, set a workspace environment variable with a payload that includes a single quote, such as a JavaScript command. This can be done via the Windmill API or the workspace settings UI. Once the variable is set, create and run a NativeTS script. The injected code will execute during the script's execution, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to Windmill version 1.664.0 or later, where this vulnerability has been patched.