Heym Sandbox Escape Vulnerability via Python Introspection

A sandbox escape vulnerability has been identified in Heym versions prior to 0.0.21. This vulnerability allows authenticated workflow authors to bypass sandbox restrictions using object-graph introspection techniques. By exploiting this issue, attackers can access the unrestricted __import__ function, import prohibited modules like os and subprocess, and retrieve sensitive backend environment variables containing database credentials and encryption keys. This access could be used to execute arbitrary commands on the host system as the backend service user.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive environment variables and the ability to execute arbitrary commands on the host system, potentially compromising the application or its data.

Reproduction

The vulnerability can be reproduced by an authenticated workflow author who creates a custom Python tool. By using object-graph introspection primitives, it is possible to access the unrestricted __import__ function and import blocked modules such as os and subprocess. Once these modules are imported, the introspection can be used to access sensitive environment variables, such as those containing database credentials and encryption keys, which can then be exploited to execute commands on the host system as the backend service user.

Remediation

Users can update to Heym version 0.0.21 or later, where this vulnerability has been addressed.