ShellHub Centralized SSH Gateway Unrestricted HTTP 500 Generation Vulnerability

A vulnerability in ShellHub, a centralized SSH gateway, allows any authenticated user to cause the device list endpoint to return an HTTP 500 error. This issue is present in versions through 0.24.1. The vulnerability arises because the endpoint accepts user-controlled identifiers in the filter and sort-by query parameters, which are then passed directly to the database layer as BSON/SQL keys without proper validation. This lack of input validation enables users to inject MongoDB operators and other special elements that can disrupt the API's aggregation/query process, leading to a server error. Additionally, the vulnerability could be exploited to bypass rate limiting and generate log noise, complicating forensic analysis.

Impact

Exploitation of this vulnerability causes unrestricted generation of HTTP 500 responses, creating log noise and potential false positives in security monitoring systems. This not only disrupts normal operations but can also bypass Web Application Firewall (WAF) protections. Furthermore, the vulnerability could be used to exploit large tenant datasets with crafted regular expressions, causing resource exhaustion through ReDoS amplification.

Reproduction

To reproduce this vulnerability, authenticate a user and obtain a valid JWT token. Then, send a request to the device list endpoint with a base64-encoded filter payload that includes injected MongoDB operator names or virtual pipeline-computed fields. This will cause the API to return an HTTP 500 response. Alternatively, the sort-by query parameter can be exploited in a similar manner by injecting MongoDB operators or oversized strings, which also results in an HTTP 500 error.

Remediation

The vulnerability has been fixed in ShellHub version 0.24.2. Users should update to this version.