PT-2026-42605 — Github.Com/Fission/Fission

PT-2026-42605 · Go · Github.Com/Fission/Fission

Published

2026-05-21

Updated

2026-05-21

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Summary

Before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context.

Affected component

pkg/builder/builder.go:254 — call site (exec.Command(buildCmd, buildArgs...)).
pkg/builder/builder.go:106 — input source: buildCmd, buildArgs = strings.Fields(req.BuildCommand)[0], strings.Fields(req.BuildCommand)[1:].

Impact

A subject with create / update privilege on Environment objects could:

Cause the builder pod for any package using that environment to execute arbitrary code.
Read whatever files the builder pod has access to inside its /packages shared volume (deployment archive payloads for that package).
Write arbitrary content into the /packages shared volume, which the fetcher subsequently uploads as the package deployment archive.

The builder pod runs in the user's namespace with the fission-builder SA (not the more-privileged executor SA), so the impact is bounded to that namespace's package contents and the builder pod's own filesystem. PR:H reflects that creating / modifying Environment CRDs is typically restricted to cluster admins or platform operators.

Root cause

pkg/builder/builder.go's build-command parser did not validate the resulting executable path. Although exec.Command does not invoke a shell, it does locate the executable via $PATH, and strings.Fields splitting allowed multiple flags / sub-arguments to be passed.

Fix

Released in v1.23.0:

PR #3364 (commit 0f45c911) introduces Builder.resolveBuildCommand in pkg/builder/builder.go, which:

Accepts an empty string (treated as the default /build).
Accepts the literal /build.
Accepts any absolute path that survives filepath.Clean and contains no .. segments.
Rejects anything containing whitespace metacharacters or relative paths.

exec.Command still receives only the validated absolute path; sub-arguments continue to come from strings.Fields of the original string but are now passed positionally with no shell expansion.

Mitigation (until upgrade)

Restrict who can create / update Environment CRDs to trusted operators only.
Audit Environment.spec.builder.command values for any non-/build paths.
Run the buildermgr with a tightened ServiceAccount that has no secret access in the builder namespace.

Improper Privilege Management

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-250CWE-78

Related Identifiers

GHSA-7PJR-QPVH-M339

Affected Products

Github.Com/Fission/Fission