Lethal Injection

Published Tue, May 7th, 2024


Multiple vulnerabilities were uncovered in Azure Health Bot service, Microsoft's health chatbot platform. These could have potentially exposed sensitive user data and granted attackers extensive control, allowing unrestricted code execution as root on the bot backend, unrestricted access to authentication secrets & integration auth providers, unrestricted memory read in the bot backend, exposing sensitive secrets, allowing cross-tenant data access and unrestricted deletion of other tenants' public resources. These issues stemmed from various bugs related to URL sanitization, shared compute, and sandboxing. Following disclosure, Microsoft changed the service architecture to run a completely separate ACI instance per customer, thereby mitigating future sandbox escapes, and changed the sandboxing from vm2 to the isolated-vm library (which uses V8 isolates).

Affected Services

Health Bot


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Yanir Tsarimi, Breachproof