Dokploy OS Command Injection Vulnerability in Application Name Parameter

A critical OS command injection vulnerability has been identified in Dokploy, a self-hostable Platform as a Service (PaaS). This issue affects versions through 0.26.6. The vulnerability arises from inadequate input sanitization, lack of schema validation, and direct interpolation of user-controlled application names into shell commands. An authenticated attacker can exploit this by injecting shell metacharacters into the appName field during application creation. These injected commands are executed with server-level privileges when service operations are performed, such as starting or stopping the application.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with root privileges, particularly in Docker deployments where Dokploy is typically hosted.

Reproduction

To reproduce this vulnerability, log into a Dokploy instance and create a project. Then, use the 'apiCreateApplication' mutation to create an application with a malicious 'appName' that includes command injection payloads, such as 'test;id>/tmp/pwned;echo'. After the application is created, trigger the vulnerability by stopping the application, which executes the injected command on the server.

Remediation

Users can update to Dokploy version 0.26.7, where this vulnerability has been patched. The patch includes improved input validation for the appName parameter, ensuring it only contains safe characters before being processed.