إرسال #752762: jishi node-sonos-http-api 3776f0e (Mar 22, 2025) OS Command Injectionالمعلومات

عنوانjishi node-sonos-http-api 3776f0e (Mar 22, 2025) OS Command Injection
الوصفRemote Code Execution via OS Command Injection in Text‑to‑Speech Handler Code reference: https://github.com/jishi/node-sonos-http-api/blob/3776f0ee2261c924c7b7204de121a38100a08ca7/lib/tts-providers/mac-os.js#L55-L64 Maintainer report: https://github.com/jishi/node-sonos-http-api/issues/915 vulnerability in the macOS TTS provider. In lib/tts-providers/mac- os.js (current master, commit 3776f0e from 2025‑03‑22), user‑supplied input from the /say endpoint is interpolated into shell command strings passed to child_process.exec() without sanitization. An attacker can inject arbitrary shell commands by crafting malicious input in the phrase parameter, achieving RCE with the privileges of 55–62, with execution at line 64. var execCommand = \say "${phrase}" -o ${filepath}`;` appear in the conditional branches forselectedVoiceandselcetedRate. Execution occurs via exec(execCommand, ...)`. GET /bedroom/say/test%22;%20touch%20/tmp/pwned;%20echo%20%22x This payload closes the quote, injects a command, and neutralizes the Prerequisites - Target running macOS - macSay enabled in settings.json - HTTP API reachable Impact - Full system compromise (Node.js process privileges) CWE CWE‑78 (OS Command Injection) CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Score: 9.8 (Critical) Remediation Replace exec() with execFile() and pass arguments as an array: const { execFile } = require('child_process'); const args = []; if (selectedRate && selectedRate !== "default") args.push('-r', selectedRate); if (selectedVoice) args.push('-v', selectedVoice); args.push(phrase, '-o', filepath); execFile('say', args, callback); Verification Static code analysis of public repository (3776f0e, 2025‑03‑22). No runtime testing required to confirm exploitability.
المصدر⚠️ https://github.com/jishi/node-sonos-http-api/issues/915
المستخدم
 XavLimSG (UID 95187)
ارسال05/02/2026 09:49 AM (2 أشهر منذ)
الاعتدال17/02/2026 02:48 PM (12 days later)
الحالةتمت الموافقة
إدخال VulDB346280 [jishi node-sonos-http-api حتى 3776f0ee2261c924c7b7204de121a38100a08ca7 TTS Provider mac-os.js Promise phrase تجاوز الصلاحيات]
النقاط20

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!