Primary

Context

ngrok Command Injection Vulnerability

Vulnerability

A command injection vulnerability exists in ngrok versions 4.3.3 and 5.0.0-beta.2. This vulnerability allows an attacker to execute arbitrary commands on the system where ngrok is running.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the host system.

Reproduction

To reproduce this vulnerability, use the ngrok npm package and create a script that includes a malicious option to the 'binPath' parameter. This option should be crafted to execute a command, such as creating a file in the current directory. When the 'getVersion' method is called with these options, the injected command will be executed, demonstrating the command injection vulnerability.

Added: May 18, 2026, 4:19 PM

Updated: May 18, 2026, 4:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

0.0

relevance

8.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

0.0

relevance

8.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ngrok Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

ngrok

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating