Evolver Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Evolver versions prior to 1.69.3. The issue arises in the `_extractLLM()` function, where user input is improperly sanitized before being executed as a shell command. This flaw allows attackers to execute arbitrary commands on the server, particularly when the `corpus` parameter includes shell metacharacters. The vulnerability has been patched in version 1.69.3.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running under the privileges of the Node.js process. This could lead to a full system compromise, data exfiltration, installation of malware or backdoors, or lateral movement within the network.

Reproduction

To reproduce this vulnerability, control the `userSnippet` parameter that is processed by the `extractSignals()` function, which then calls the vulnerable `_extractLLM()` function. This can be done through compromised log files or by injecting malicious user input. Once the `corpus` parameter is crafted to include shell metacharacters, the injected commands will be executed on the server.

Remediation

Users are advised to update to Evolver version 1.69.3 or later.