Kny4Hacker

**Name of the Vulnerable Software and Affected Versions** Wrangler versions prior to 3.114.17 Wrangler versions prior to 4.59.1 Wrangler version 2 (EOL) **Description** A command injection issue exists in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed to a shell command without proper validation, allowing an attacker who controls the `--commit-hash` parameter to execute arbitrary commands on the system running Wrangler. The `commitHash` variable, obtained from the `--commit-hash` command-line argument, is directly interpolated into a shell command using template literals. Shell metacharacters are interpreted by the shell, enabling command execution. This primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the `--commit-hash` parameter is populated from external sources. An attacker could potentially run shell commands, exfiltrate environment variables, or compromise the CI runner. The **API Endpoint** is `wrangler pages deploy` and the **Vulnerable Parameter** is `--commit-hash`. **Recommendations** Wrangler versions prior to 3.114.17 should be upgraded to Wrangler version 3.114.17 or higher. Wrangler versions prior to 4.59.1 should be upgraded to Wrangler version 4.59.1 or higher. Users on Wrangler version 2 (EOL) should upgrade to a supported major version.