GHSA-HCWQ-X9FW-8CFQ

Vulnerability from github – Published: 2026-05-14 16:16 – Updated: 2026-06-12 22:01
VLAI
Summary
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
Details

Summary

The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system.

━━━━━━━━━━━━━━━━━━━━━━

Details

Vulnerable file: lib/commands/create.js Location: Line 186

The CLI collects a password using an interactive prompt and passes it directly into a shell command.

Vulnerable code:

const response = await prompts({ type: 'password', name: 'pw', message: '🔏 Please enter a password:' });

exec(echo "${response.pw}" | ${createUserCommand});

The value of response.pw is not validated, sanitized, or escaped before being used in exec().

This allows shell metacharacters such as ;, &&, and $() to break out of the intended command and execute arbitrary commands.

━━━━━━━━━━━━━━━━━━━━━━

Steps to Reproduce

1) Install the CLI npm install -g @apostrophecms/cli 2) Create a new project mkdir testproject && cd testproject apos create mysite 3)When prompted for the admin password, enter "; id > /tmp/apos_rce_proof.txt; echo " 4)Verify command execution cat /tmp/apos_rce_proof.txt

━━━━━━━━━━━━━━━━━━━━━━

Proof of Concept Output

uid=1000(vboxuser) gid=1000(vboxuser) groups=1000(vboxuser),27(sudo),984(docker)

This confirms arbitrary command execution with the privileges of the user running the CLI.

━━━━━━━━━━━━━━━━━━━━━━

Impact

Arbitrary command execution on the developer’s machine Execution occurs with the privileges of the user running the CLI

This can lead to:

File modification or deletion Credential exposure System compromise depending on user privileges

An attacker can exploit this by influencing the password input (for example, through social engineering, malicious documentation, or compromised automation scripts).

The proof-of-concept shows execution under a user belonging to privileged groups such as sudo and docker, which may allow further privilege escalation depending on system configuration.

━━━━━━━━━━━━━━━━━━━━━━

Suggested Fix

Avoid using exec() with user-controlled input.

Use execFile() instead:

const { execFileSync } = require('child_process');

execFileSync('node', [appJsPath, userTask, 'admin', 'admin'], { input: response.pw + '\n' });

━━━━━━━━━━━━━━━━━━━━━━

Affected Version

All current versions of @apostrophecms/cli

━━━━━━━━━━━━━━━━━━━━━━

Tested On

Ubuntu 22.04 Node.js v18.19.1

━━━━━━━━━━━━━━━━━━━━━━

CWE

CWE-78 — Improper Neutralization of Special Elements used in an OS Command

━━━━━━━━━━━━━━━━━━━━━━

Severity
6.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apostrophecms/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:16:16Z",
    "nvd_published_at": "2026-06-12T21:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n\nThe @apostrophecms/cli package contains a command injection vulnerability in the apos create command.\nUser-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping.\nThis allows execution of arbitrary commands on the host system.\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nDetails\n\nVulnerable file: lib/commands/create.js\nLocation: Line 186\n\nThe CLI collects a password using an interactive prompt and passes it directly into a shell command.\n\nVulnerable code:\n\nconst response = await prompts({\ntype: \u0027password\u0027,\nname: \u0027pw\u0027,\nmessage: \u0027\ud83d\udd0f Please enter a password:\u0027\n});\n\nexec(echo \"${response.pw}\" | ${createUserCommand});\n\nThe value of response.pw is not validated, sanitized, or escaped before being used in exec().\n\nThis allows shell metacharacters such as ;, \u0026\u0026, and $() to break out of the intended command and execute arbitrary commands.\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nSteps to Reproduce\n\n1) Install the CLI\n      npm install -g @apostrophecms/cli\n2) Create a new project\n      mkdir testproject \u0026\u0026 cd testproject\n      apos create mysite\n3)When prompted for the admin password, enter\n      \"; id \u003e /tmp/apos_rce_proof.txt; echo \"\n4)Verify command execution\n        cat /tmp/apos_rce_proof.txt\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nProof of Concept Output\n\nuid=1000(vboxuser) gid=1000(vboxuser) groups=1000(vboxuser),27(sudo),984(docker)\n\nThis confirms arbitrary command execution with the privileges of the user running the CLI.\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nImpact\n\nArbitrary command execution on the developer\u2019s machine\nExecution occurs with the privileges of the user running the CLI\n\nThis can lead to:\n\nFile modification or deletion\nCredential exposure\nSystem compromise depending on user privileges\n\nAn attacker can exploit this by influencing the password input (for example, through social engineering, malicious documentation, or compromised automation scripts).\n\nThe proof-of-concept shows execution under a user belonging to privileged groups such as sudo and docker, which may allow further privilege escalation depending on system configuration.\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nSuggested Fix\n\nAvoid using exec() with user-controlled input.\n\nUse execFile() instead:\n\nconst { execFileSync } = require(\u0027child_process\u0027);\n\nexecFileSync(\u0027node\u0027, [appJsPath, userTask, \u0027admin\u0027, \u0027admin\u0027], {\ninput: response.pw + \u0027\\n\u0027\n});\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nAffected Version\n\nAll current versions of @apostrophecms/cli\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nTested On\n\nUbuntu 22.04\nNode.js v18.19.1\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\n\nCWE\n\nCWE-78 \u2014 Improper Neutralization of Special Elements used in an OS Command\n\n\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501",
  "id": "GHSA-hcwq-x9fw-8cfq",
  "modified": "2026-06-12T22:01:56Z",
  "published": "2026-05-14T16:16:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42853"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apostrophecms/apostrophe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.