CVE-2026-44425

Name of the Vulnerable Software and Affected Versions ShellHub versions prior to 0.24.2

Description The device list endpoint accepts user-controlled identifiers that are passed directly as BSON/SQL keys in the database layer without validation. This occurs in the name field of each filter property within the base64-encoded filter query parameter and the sort by query parameter. An authenticated user can craft payloads to cause the aggregation or query to fail, resulting in an HTTP 500 error with no body. There is no rate limiting applied to these requests. Additionally, the fromContains() function passes user input directly as a $regex value, which may enable blind regex extraction over string fields within the caller's tenant and potential Regular Expression Denial of Service (ReDoS) amplification on large datasets. ReDoS is a condition where a complex regular expression takes an exponential amount of time to process, potentially exhausting server resources.

Recommendations Update to version 0.24.2. As a temporary workaround, restrict access to the filter and sort by parameters in the device list endpoint to minimize the risk of exploitation.