Cloud CLI OS Command Injection Vulnerability Allowing Unauthenticated Remote Code Execution

A critical OS command injection vulnerability has been identified in Cloud CLI versions prior to 1.25.0. This issue allows for unauthenticated remote code execution via a WebSocket shell interface. The vulnerability arises because user-supplied data is directly interpolated into a bash command without proper sanitization, enabling arbitrary command execution on the host system. Additionally, the injection can exploit an insecure default JSON Web Token (JWT) secret, bypassing authentication checks and further facilitating the execution of malicious commands.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server, with the executed commands running as the server process user. This could allow an attacker to read or write files on the filesystem, steal credentials such as SSH keys or API keys, and potentially move laterally within the host network.

Reproduction

To reproduce this vulnerability, first, ensure that the Cloud CLI application is running a version prior to 1.25.0 and that the JWT_SECRET environment variable is not set, allowing the default secret to be used. Then, connect to the application's WebSocket shell endpoint, authenticating with a JWT token that has been crafted to include a user ID that does not exist in the database. Once connected, send a message that includes the injection payload, such as a command to be executed, taking advantage of the OS command injection flaw. After the command is executed, the output can be received through the WebSocket connection.

Remediation

Users can update to Cloud CLI version 1.25.0 or later, where this vulnerability has been fixed. Additionally, it is recommended to set a strong, unique JWT_SECRET environment variable before deploying the application.