GHSA-F2FC-VC88-6W7Q

Vulnerability from github – Published: 2026-03-11 00:25 – Updated: 2026-03-11 20:45
VLAI?
Summary
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Details

Summary

Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.

Details

The claudecodeui application provides Git integration through various API endpoints. These endpoints accept user-controlled parameters such as file paths, branch names, commit messages, and commit hashes, which are directly interpolated into shell command strings passed to execAsync().

The application attempts to escape double quotes in some parameters, but this protection is trivially bypassable using other shell metacharacters such as:

Command substitution: $(command) or `command` Command chaining: ;, &&, || Newlines and other control characters

Affected Endpoints

GET /api/git/diff - file parameter GET /api/git/status - file parameter POST /api/git/commit - files array and message parameter POST /api/git/checkout - branch parameter POST /api/git/create-branch - branch parameter GET /api/git/commits - commit hash parameter GET /api/git/commit-diff - commit parameter

Vulnerable Code

File: server/routes/git.js

// Line 205 - git status with file parameter
const { stdout: statusOutput } = await execAsync(
  `git status --porcelain "${file}"`,  // INJECTION via file
  { cwd: projectPath }
);

// Lines 375-379 - git commit with files array and message
for (const file of files) {
  await execAsync(`git add "${file}"`, { cwd: projectPath });  // INJECTION via files[]
}
const { stdout } = await execAsync(
  `git commit -m "${message.replace(/"/g, '\\"')}"`,  // INJECTION via message (bypass with $())
  { cwd: projectPath }
);

// Lines 541-543 - git show with commit parameter (no quotes!)
const { stdout } = await execAsync(
  `git show ${commit}`,  // INJECTION via commit
  { cwd: projectPath }
);

Impact

  • Remote Code Execution as the Node.js process user
  • Full server compromise
  • Data exfiltration
  • Supply chain attacks - modify committed code to inject malware

Fix

Commit: siteboon/claudecodeui@55567f4

Root cause remediation

All vulnerable execAsync() calls have been replaced with the existing spawnAsync() helper (which uses child_process.spawn with shell: false). Arguments are passed as an array directly to the OS — shell metacharacters in user input are inert.

Endpoints patched in server/routes/git.js:

  • GET /api/git/difffile (4 calls)
  • GET /api/git/file-with-difffile (3 calls)
  • POST /api/git/commitfiles[], message
  • POST /api/git/checkoutbranch
  • POST /api/git/create-branchbranch
  • GET /api/git/commitscommit.hash
  • GET /api/git/commit-diffcommit
  • POST /api/git/generate-commit-messagefile
  • POST /api/git/discardfile (3 calls)
  • POST /api/git/delete-untrackedfile
  • POST /api/git/publishbranch

A strict allowlist regex (/^[0-9a-f]{4,64}$/i) was also added to validate the commit parameter in /api/git/commit-diff before it reaches the git process.

Before / After

// BEFORE — shell interprets the string, injection possible
const { stdout } = await execAsync(`git show ${commit}`, { cwd: projectPath });

// AFTER — no shell, args passed directly to the process
const { stdout } = await spawnAsync('git', ['show', commit], { cwd: projectPath });
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.23.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@siteboon/claudecodeui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:25:43Z",
    "nvd_published_at": "2026-03-11T18:16:25Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nMultiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.\n\n### Details\nThe claudecodeui application provides Git integration through various API endpoints. These endpoints accept user-controlled parameters such as file paths, branch names, commit messages, and commit hashes, which are directly interpolated into shell command strings passed to execAsync().\n\nThe application attempts to escape double quotes in some parameters, but this protection is trivially bypassable using other shell metacharacters such as:\n\nCommand substitution: $(command) or \\`command\\`\nCommand chaining: ;, \u0026\u0026, ||\nNewlines and other control characters\n\n### Affected Endpoints\n`GET /api/git/diff - file parameter`\n`GET /api/git/status - file parameter`\n`POST /api/git/commit - files array and message parameter`\n`POST /api/git/checkout - branch parameter`\n`POST /api/git/create-branch - branch parameter`\n`GET /api/git/commits - commit hash parameter`\n`GET /api/git/commit-diff - commit parameter`\n\n### Vulnerable Code\n\nFile: server/routes/git.js\n```\n// Line 205 - git status with file parameter\nconst { stdout: statusOutput } = await execAsync(\n  `git status --porcelain \"${file}\"`,  // INJECTION via file\n  { cwd: projectPath }\n);\n```\n```\n// Lines 375-379 - git commit with files array and message\nfor (const file of files) {\n  await execAsync(`git add \"${file}\"`, { cwd: projectPath });  // INJECTION via files[]\n}\nconst { stdout } = await execAsync(\n  `git commit -m \"${message.replace(/\"/g, \u0027\\\\\"\u0027)}\"`,  // INJECTION via message (bypass with $())\n  { cwd: projectPath }\n);\n```\n```\n// Lines 541-543 - git show with commit parameter (no quotes!)\nconst { stdout } = await execAsync(\n  `git show ${commit}`,  // INJECTION via commit\n  { cwd: projectPath }\n);\n```\n\n### Impact\n- Remote Code Execution as the Node.js process user\n- Full server compromise\n- Data exfiltration\n- Supply chain attacks - modify committed code to inject malware\n\n---\n\n### Fix\n\n**Commit:** siteboon/claudecodeui@55567f4\n\n#### Root cause remediation\n\nAll vulnerable `execAsync()` calls have been replaced with the existing `spawnAsync()` helper (which uses `child_process.spawn` with `shell: false`). Arguments are passed as an array directly to the OS \u2014 shell metacharacters in user input are inert.\n\n**Endpoints patched in `server/routes/git.js`:**\n\n- `GET /api/git/diff` \u2014 `file` (4 calls)\n- `GET /api/git/file-with-diff` \u2014 `file` (3 calls)\n- `POST /api/git/commit` \u2014 `files[]`, `message`\n- `POST /api/git/checkout` \u2014 `branch`\n- `POST /api/git/create-branch` \u2014 `branch`\n- `GET /api/git/commits` \u2014 `commit.hash`\n- `GET /api/git/commit-diff` \u2014 `commit`\n- `POST /api/git/generate-commit-message` \u2014 `file`\n- `POST /api/git/discard` \u2014 `file` (3 calls)\n- `POST /api/git/delete-untracked` \u2014 `file`\n- `POST /api/git/publish` \u2014 `branch`\n\nA strict allowlist regex (`/^[0-9a-f]{4,64}$/i`) was also added to validate the `commit` parameter in `/api/git/commit-diff` before it reaches the git process.\n\n#### Before / After\n\n```js\n// BEFORE \u2014 shell interprets the string, injection possible\nconst { stdout } = await execAsync(`git show ${commit}`, { cwd: projectPath });\n\n// AFTER \u2014 no shell, args passed directly to the process\nconst { stdout } = await spawnAsync(\u0027git\u0027, [\u0027show\u0027, commit], { cwd: projectPath });\n```",
  "id": "GHSA-f2fc-vc88-6w7q",
  "modified": "2026-03-11T20:45:24Z",
  "published": "2026-03-11T00:25:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31862"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siteboon/claudecodeui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.