Olivetin OS Command Injection Vulnerability in Custom Themes

A command injection vulnerability has been identified in Olivetin version 2025.4.22, specifically within the Custom Themes feature. The issue arises in the ParseRequestURI function, located in service/internal/executor/arguments.go, where user-supplied URL arguments are not properly sanitized before being executed as shell commands. This flaw allows attackers to inject malicious commands that the system then executes, potentially leading to unauthorized access or disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the injected commands executed in the context of the user running the Olivetin service. This could lead to unauthorized access to sensitive files, such as the `/etc/passwd` file, and potentially allow for further system compromise.

Reproduction

To reproduce this vulnerability, access the Olivetin application and navigate to the Custom Themes feature. When prompted to provide a URL for the 'themeGitRepo' argument, enter a URL that includes shell metacharacters, such as 'http://a:cat</etc/passwd'. The URL will pass the validation check but will inject the 'cat' command into the shell execution. Once the command is executed, the contents of the '/etc/passwd' file will be returned, demonstrating the successful exploitation of the command injection vulnerability.