Phenixdigital Phoenix Storybook Code Injection Vulnerability Allowing Remote Execution

A code injection vulnerability has been identified in Phenixdigital's Phoenix Storybook, specifically in versions 0.5.0 prior to 1.1.0. This vulnerability allows unauthenticated remote code execution through unsanitized attribute value interpolation in HEEx template generation. The issue arises in the 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive' WebSocket event handler, which accepts arbitrary attribute names and values from unauthenticated clients. These values are stored verbatim and later interpolated into a HEEx template string without proper escaping. An attacker can exploit this by injecting a closing quote followed by a HEEx expression block, causing the injected expression to be executed as Elixir code. The compiled code is executed with full access to the Elixir Kernel, without any sandboxing, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where the vulnerable version of Phoenix Storybook is deployed.

Reproduction

To reproduce this vulnerability, connect to a Phoenix LiveView WebSocket without authentication and join a story's LiveView channel. Send a 'psb-assign' event with an attribute value that escapes the HEEx attribute context and embeds an Elixir expression, such as a command execution payload. The server will evaluate the injected expression and return the output in the rendered response.

Remediation

Users can upgrade to Phoenix Storybook version 1.1.0 or later to address this vulnerability.