CVE-2022-36065 in GrowthBook
Summary
by MITRE • 09/07/2022
GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29). As a workaround, set `JWT_SECRET` environment variable to a long random string. This will stop arbitrary file uploads, but the only way to stop attackers from registering accounts is by updating to the latest build.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/07/2022
The vulnerability CVE-2022-36065 affects GrowthBook, an open-source platform designed for feature flagging and A/B testing. This security flaw exists specifically in self-hosted deployments and represents a critical privilege escalation vulnerability that allows unauthenticated attackers to gain arbitrary code execution within containerized environments. The issue stems from insufficient access controls and weak security configurations that collectively enable attackers to register accounts and upload malicious files to arbitrary directories within the application container. The vulnerability is particularly dangerous because it combines account registration capabilities with file upload functionality, creating a complete attack chain that can lead to full system compromise. This weakness aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), as it allows attackers to manipulate file paths and execute code through malicious uploads. The ATT&CK framework categorizes this as a privilege escalation technique through the use of vulnerable application components and command execution via file upload capabilities.
The technical exploitation of this vulnerability requires specific environmental conditions to be met, making it somewhat situational but still highly dangerous when present. Attackers must target self-hosted deployments of GrowthBook, as the official GrowthBook Cloud service remains unaffected by this issue. The vulnerability specifically requires that the application uses local file upload mechanisms rather than cloud storage services like S3 or Google Cloud Storage, which would typically provide better security boundaries. Additionally, the NODE_ENV environment variable must be set to a non-production value, and the JWT_SECRET must be configured with a weak, easily guessable string such as 'dev'. These conditions together create a dangerous combination where the application's security mechanisms are weakened enough to allow unauthorized file uploads and account registration. The vulnerability's exploitation path involves registering a new user account, uploading a malicious Python script to a directory within the container, and then executing that script to gain arbitrary code execution. This represents a classic web application vulnerability where weak input validation and insufficient access controls combine to create a remote code execution vector.
The operational impact of this vulnerability extends far beyond simple data theft or service disruption. When successfully exploited, attackers can execute arbitrary code within the container, potentially leading to complete system compromise, data exfiltration, and lateral movement within network environments. The vulnerability affects organizations that have self-hosted GrowthBook instances with insecure configurations, particularly those that have not properly secured their deployment environments. The attack surface is significant because it allows attackers to gain persistent access through file uploads, potentially creating backdoors or establishing command and control capabilities. Organizations using local file storage rather than cloud-based solutions are particularly vulnerable, as local storage systems often lack the security boundaries and access controls provided by cloud storage services. The vulnerability's impact is amplified by the fact that it can be exploited without authentication, making it accessible to anyone who can reach the application. This makes it particularly dangerous for organizations that have exposed self-hosted GrowthBook instances to the internet or have insufficient network segmentation.
Mitigation strategies for this vulnerability must address both the immediate configuration issues and the underlying architectural weaknesses that enabled the attack. The primary recommended fix is to update to the patched version released on 2022-08-29, which contains the necessary code changes to prevent unauthorized file uploads and account registration. However, organizations can also implement immediate workarounds to reduce risk while planning for the full update. The most effective immediate mitigation is to set the JWT_SECRET environment variable to a long, random string that is not easily guessable, which will prevent unauthorized file uploads by strengthening authentication mechanisms. This workaround addresses the core vulnerability by ensuring that the application's session management is properly secured, making it much more difficult for attackers to exploit the file upload functionality. Organizations should also review their deployment configurations to ensure that NODE_ENV is properly set to production values and that all environment variables are securely configured. Additional mitigations include implementing network segmentation to limit access to self-hosted instances, using cloud storage solutions instead of local file uploads, and regularly auditing application configurations to identify and correct insecure settings. The vulnerability highlights the importance of following security best practices for environment variable management and the critical need for proper application hardening in self-hosted deployments.