What's Happening?
A critical vulnerability in Grist-Core, a programmable alternative to Excel and Google Sheets, has been identified, allowing remote code execution (RCE) through a malicious spreadsheet formula. Discovered by Cyera Research Labs, the flaw affects Grist's Python formula execution layer, which evaluates untrusted formulas inside a Pyodide WebAssembly sandbox. The vulnerability, assigned a CVSS score of 9.1, has been patched following a coordinated disclosure with the Grist-Core security team. The issue allows a formula author to escape the Pyodide sandbox and execute operating system commands or JavaScript in the host runtime. This exploit is delivered as legitimate spreadsheet content, making routine data processing an execution surface. Grist-Core is used
in both managed SaaS and self-hosted environments, increasing the impact of execution isolation failures.
Why It's Important?
The vulnerability poses significant risks as Grist-Core is widely adopted across various sectors, including government, higher education, and commercial teams. The flaw allows access to sensitive data and credentials, with potential for lateral movement into adjacent systems. In managed SaaS deployments, the risk extends beyond individual servers, compromising the control plane that runs multiple tenants' workflows. This makes the vulnerability a critical concern for organizations relying on Grist-Core for data modeling and workflow automation. The patch, implemented in version 1.7.9, introduces a permission-based isolation layer by running Pyodide under Deno, emphasizing the need for operators to upgrade promptly and treat formula execution as a privileged capability.
What's Next?
Organizations using Grist-Core are advised to upgrade to version 1.7.9 to mitigate the vulnerability. The update includes running Pyodide under Deno by default, adding a permission-based isolation layer. Operators should avoid bypassing Deno and consider formula execution as a privileged capability. The incident highlights the importance of robust security measures in SaaS environments, particularly those handling sensitive operational data. Stakeholders in affected sectors may need to reassess their security protocols and ensure that similar vulnerabilities are addressed promptly to prevent potential breaches.
