skip to content
Back to
Home Bounties Research Advisories Get Involved Events
November 17, 2022

GHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006

Peter Stöckli

Coordinated Disclosure Timeline


A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.


Arvados Workbench

Tested Version



Issue: Authenticated remote code execution due to insecure deserialization (GHSL-2022-063)

The Arvados Workbench uses Oj for deserializing JSON payloads from remote sources. When Oj.load is used without a restricting mode, arbitrary Ruby objects can be deserialized. Deserializing untrusted data using any method that allows the construction of arbitrary objects is easily exploitable and, in many cases, allows an attacker to execute arbitrary code. So-called “gadget chains” that allow code execution exist for all versions of Ruby.

The Arvados Workbench exposes a search endpoint which uses Oj.load to deserialize a JSON based filter query parameter. Authenticated attackers able to send arbitrary requests to this endpoint will be able to achieve remote code execution (RCE). The same is likely true for the combine_selected_files_into_collection action inside of actions_controller.rb.

This vulnerability was found using a CodeQL query which identifies deserialization of user-controlled data.

Proof of concept (for Ruby 2.x)

The search endpoint can be attacked with the following deserialization gadget chain which creates the file /tmp/pwned.txt on the attacked Arvados system (the test was performed against a setup as described on the Arvados-in-a-box page):

curl -i -s -k -X $'GET' \
    -H $'Host:'-H $'Accept: application/json' -H $'X-Csrf-Token: [..] \
    -b $'_arvados_workbench_session=[..]' \

(Hint: replace the X-Csrf-Token header and the _arvados_workbench_session cookie with valid (authenticated) values)

Please note:


This issue may lead to Remote Code Execution (RCE)



This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).


You can contact the GHSL team at, please include a reference to GHSL-2022-063 in any communication regarding this issue.