Skip to content

Boxlite, containerd, Twig, and token-boundary batch

Source: GitHub Security Advisories REST fallback, published/updated 2026-05-21.

This batch is durable because it turns fresh advisories into replayable checks for sandbox escape, container policy bypass, metadata SSRF blocklist drift, template-sandbox execution, admin endpoint authorization, and CI/CD token exfiltration boundaries.

What changed

  • Boxlite host write via OCI layer symlink traversalGHSA-f396-4rp4-7v2j: Boxlite accepted attacker-supplied OCI images, then extracted layer tar entries without containing symlink targets to the image root. A malicious image layer could use absolute symlinks to write arbitrary host paths when the image is loaded.
  • BoxLite read-only mount bypassGHSA-g6ww-w5j2-r7x3: BoxLite implemented read-only virtiofs mounts by remounting inside the VM with MS_RDONLY, while untrusted code retained enough kernel capability to remount the shared directory read-write.
  • containerd runAsNonRoot evasionGHSA-fqw6-gf59-qr4w: a crafted image with a numeric USER directive that overflows 32-bit parsing could be treated as a username. If /etc/passwd maps that string to UID 0, Kubernetes runAsNonRoot checks can be bypassed and the container can run as root.
  • Pydantic AI metadata SSRF blocklist bypassGHSA-cqp8-fcvh-x7r3: applications that opted URL download handling into force_download='allow-local' could still route cloud-metadata requests through IPv4-mapped IPv6, 6to4, or NAT64 address forms despite the intended metadata endpoint block.
  • Rust OneNote parser path traversalGHSA-4j5m-wc25-pvh7: malicious .onetoc2 entries could make Parser::parse_notebook open paths outside the notebook directory. The parser normally fails to parse non-section files, so the strongest generic proof is path reachability, existence probing, or resource-trigger behavior rather than direct file exfiltration.
  • SQLAdmin ajax_lookup authorization bypassGHSA-54mc-gghv-4cfj: GET /{identity}/ajax/lookup?name=<field>&term=<query> did not enforce the same is_accessible() model-access check as list/create/edit/delete/details/export routes, allowing unauthorized authenticated lookup of restricted model data.
  • Twig template execution and sandbox escapesGHSA-45vw-wh46-2vx8, GHSA-7p85-w9px-jpjp, GHSA-mm6w-gr99-p3jj, GHSA-7fxw-r6jv-74c8, GHSA-vcc8-phrv-43wj, GHSA-24x9-r6q4-q93w: multiple Twig advisories showed untrusted template authors could break out of sandbox assumptions through macro-reference compilation, {% use %} template-name injection, object destructuring, cached sandbox includes, column on objects, or template_from_string() with a name-based source policy.
  • Twig autoescape/resource footgunsGHSA-jv8m-2544-3pg3, GHSA-4j38-f5cw-54h7, GHSA-35wc-cvqg-78fp: extras filters declared output safe in too many contexts, spaceless marked attacker-controlled markup safe for HTML, and twig/intl-extra memoized formatter objects using template-controlled arguments without a bound.
  • JavaScript Cookie attribute injectionGHSA-qjx8-664m-686j: JSON-derived __proto__ data passed into Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter can hijack the per-instance attributes object's prototype and inject cookie attributes such as domain, path, secure, samesite, or expires.
  • Tekton Pipelines git resolver token leakGHSA-wjxp-xrpv-xpff: in API mode, a tenant who can create TaskRun or PipelineRun resources could supply a custom serverURL while omitting token; the resolver then used the system-configured Git API token against the attacker-controlled server.

Operator triage

  1. Search target inventories for Boxlite/BoxLite sandbox services, containerd-backed clusters that rely on runAsNonRoot, Pydantic AI URL download features using allow-local, applications parsing untrusted OneNote notebooks, SQLAdmin admin panels, Twig user-template surfaces, JavaScript Cookie attribute objects derived from JSON, and Tekton Pipelines git resolver API mode.
  2. For sandbox/container findings, map who controls OCI images, whether shared host directories are exposed read-only, which pod-security policies rely on runAsNonRoot, and whether explicit runAsUser is enforced.
  3. For SSRF and parser findings, identify all URL/file ingestion paths, whether cloud metadata egress is possible from the worker runtime, and whether parser errors expose timing, size, callback, or existence differences.
  4. For Twig, distinguish developer-authored templates from tenant/user-authored templates. Record enabled extensions, allowed tags/filters/functions, sandbox mode, template cache lifetime, and whether template_from_string, {% use %}, {% include %}, column, spaceless, markdown/css/intl extras, or object destructuring are exposed.
  5. For Tekton, collect resolver configuration, secret namespace/name, tenant permissions for TaskRun/PipelineRun, allowed resolver parameters, and outbound egress from the resolver controller.

Replayable validation boundaries

  • Boxlite host-write proof: build a disposable OCI image whose layer contains only a benign symlink/marker write into a lab-controlled host path. Vulnerable result: image load writes the marker outside the intended extraction root. Do not target real host configuration files.
  • BoxLite read-only proof: mount a disposable host directory as read-only, then from untrusted code attempt only a remount/write of a harmless marker. Vulnerable result: the marker appears in the supposedly read-only directory.
  • containerd policy proof: in a lab namespace, run a crafted image whose USER value exercises the large-numeric parsing edge and whose /etc/passwd maps it to UID 0. Vulnerable result: the pod passes runAsNonRoot but id -u shows root. Keep the container inert.
  • Pydantic AI SSRF proof: if the app intentionally allows local downloads, submit only a collaborator/canary endpoint that represents an IPv4-mapped IPv6 metadata-address form. Vulnerable result: the worker resolves and attempts the server-side request. Stop before querying real metadata paths.
  • OneNote parser proof: place a harmless marker section or oversized disposable file outside the notebook directory, reference it from a crafted .onetoc2, and observe parse timing/error differences. Avoid sensitive local paths.
  • SQLAdmin proof: with an authenticated user denied access by is_accessible(), call /{identity}/ajax/lookup?name=<field>&term=<known-prefix> for a lab model. Vulnerable result: restricted records appear through lookup while list/details remain denied.
  • Twig proof: in a lab tenant template, prefer inert effects: compile-time syntax markers, reading a non-secret public property, invoking a harmless getter, or rendering controlled markup through the suspect filter. Only test command execution in an isolated container explicitly built for that purpose.
  • JavaScript Cookie proof: pass JSON-derived attributes containing an own __proto__ object into a controlled cookie write and inspect the resulting Set-Cookie string or document.cookie behavior for unexpected domain, path, or samesite attributes.
  • Tekton proof: create a disposable TaskRun/PipelineRun using git resolver API mode with serverURL pointed at an owned HTTPS listener and no token parameter. Vulnerable result: the resolver contacts the listener with an authorization token. Capture only token presence and prefix; immediately revoke the lab token.

Reporting heuristics

  • Frame each result around the crossed boundary: image layer to host filesystem, read-only mount to write, non-root policy to root runtime, metadata blocklist to cloud credential endpoint reachability, admin model denial to ajax_lookup disclosure, template sandbox to code/property/filter access, or tenant pipeline parameter to shared CI/CD token.
  • Include exact versions, configuration prerequisites, role requirements, network egress assumptions, and one redacted proof artifact.
  • For token and metadata issues, report reachability and controlled callback evidence; do not collect real cloud credentials or production tokens unless explicitly authorized.
  • For template issues, avoid public exploit payload dumping in reports when a high-level compiler/sandbox primitive plus harmless proof is enough for reproduction.

Notes on skipped or already-covered items from this scan

  • ImageMagick PasskeyEncipherImage nonce reuse, binomial kernel division by zero, and JSON/YAML encoder overwrite (GHSA-qv2q-c278-pch5, GHSA-vf33-6r7x-66xx, GHSA-jqq5-8px3-9m6m) were skipped because this pass already has ImageMagick parser/resource guidance and these items did not add a new broad exploit-validation workflow.
  • js-libp2p subscription flood (GHSA-4f8r-922h-2vgv) was skipped as resource-exhaustion only for the current offensive taxonomy.
  • @nevware21/ts-utils prototype pollution (GHSA-x7j8-49r8-mr43) was noted but not promoted into a separate workflow because it needs an application-specific sink beyond the library copy primitive.
  • phpMyFAQ tag deletion and stored XSS updates (GHSA-w42g-jj8w-fj77, GHSA-5h62-f8fg-4w7q, GHSA-h36g-93qx-rxgr, GHSA-wj3q-vw2v-3rj3) were considered already covered by existing phpMyFAQ auth/render/admin-boundary guidance for this wiki pass.