CVE-2025-34073

Name of the Vulnerable Software and Affected Versions: Maltrail versions <=0.54

Description: An unauthenticated command injection issue exists, allowing a remote attacker to execute arbitrary operating system commands via the username parameter in a POST request to the "/login" endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check output() in core/http.py, enabling injection of shell metacharacters. Exploitation does not require authentication, and commands are executed with the privileges of the Maltrail process.

Recommendations: For Maltrail versions <=0.54, as a temporary workaround, consider disabling the subprocess.check output() function in core/http.py or restricting access to the "/login" endpoint until a patch is available. Avoid using the username parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.