CVE-2021-41088

Name of the Vulnerable Software and Affected Versions Elvish versions prior to 0.14.0

Description Elvish is a programming language and interactive shell. The web UI backend, started by elvish -web, hosts an endpoint that allows executing code sent from the web UI. However, the backend does not check the origin of requests correctly. This allows a malicious website to send arbitrary code to the endpoint in localhost if the user has the web UI backend open and visits the compromised website.

Recommendations For versions prior to 0.14.0, the issue can be patched by removing the web UI, found in web, pkg/web, or pkg/prog/web, depending on the exact version. As a temporary workaround, consider not using the experimental web UI until the issue is resolved.