RELATE Remote Code Execution Vulnerability via Insecure Pickle Deserialization in Celery Workers

A remote code execution vulnerability exists in RELATE LMS versions prior to 2026.1. The issue arises because the application configures Celery workers to accept and deserialize untrusted 'pickle' data. An authenticated student can exploit this by sending a crafted pickle payload through the message broker, leading to the execution of arbitrary commands on the host server. This vulnerability is exacerbated by a lack of network isolation in the code execution sandbox, allowing the exploitation to occur remotely.

Impact

Exploitation of this vulnerability allows for full remote code execution on the host machine where the Celery worker is running. This could lead to complete server compromise, including access to the database and manipulation of course data.

Reproduction

To reproduce this vulnerability, set up a RELATE instance with Celery and a Redis broker. An authenticated student can then exploit the vulnerability by sending a crafted pickle payload through the Redis broker to the Celery worker. This can be done using a Python script that connects to the Redis broker, pushes the crafted payload as a Celery task, and exploits the deserialization vulnerability to execute commands on the host system.

Remediation

Users can update to RELATE version 2026.1 or later, where this vulnerability has been fixed.