| 标题 | aandrew-me tgpt v2.11.1 Command Injection |
|---|
| 描述 | tgpt v2.11.1 contains a local command injection vulnerability in its update mechanism. When a user runs the -u / --update option on Linux or macOS, the application calls helper.Update() and constructs a shell command using bash -c. The value of executablePath, which is derived from os.Executable(), is concatenated directly into that command string without escaping or safe argument separation.
Because the executable path is inserted into a shell-interpreted string, any shell metacharacters present in the path, such as ; or #, are processed by the shell as command syntax rather than treated as literal data. This allows arbitrary command execution in the context of the current user if the binary is executed from a crafted path and the update feature is triggered.
The issue affects the local client only. It is not a remote code execution vulnerability against a server, and exploitation requires user interaction. The vulnerable code path is reachable on Linux and macOS, while the update routine is explicitly disabled on Windows in the current implementation. |
|---|
| 来源 | ⚠️ https://drive.google.com/file/d/19wRsehbhotZXgE1TjenFtS3w-zRtp-PW/view?usp=sharing |
|---|
| 用户 | hai271120 (UID 96497) |
|---|
| 提交 | 2026-04-13 16時27分 (2 月前) |
|---|
| 管理 | 2026-05-09 08時07分 (26 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 362418 [aandrew-me tgpt 直到 2.11.1 于 Linux/macOS Update helper.go helper.Update 权限提升] |
|---|
| 积分 | 20 |
|---|