Dokploy Command Injection Vulnerability in Traefik Configuration Update Endpoint Allows Remote Code Execution

A command injection vulnerability has been identified in Dokploy versions through 0.28.8, specifically within the application.updateTraefikConfig tRPC endpoint. This vulnerability allows authenticated admin or owner users to execute arbitrary system commands on remote servers. The issue arises from unsanitized interpolation of the echo command in the Traefik configuration update process, which can be exploited by injecting a single quote to break out of the command's quoting context.

Impact

Exploitation of this vulnerability allows for OS command injection, with executed commands running on the remote server under the privileges of the SSH user.

Reproduction

To reproduce this vulnerability, an authenticated admin or owner account is required on a Dokploy instance, along with an application deployed on a server with an SSH key configured. The vulnerability can be exploited by sending a tRPC mutation to the application.updateTraefikConfig endpoint, including a crafted traefikConfig value that contains a single quote. This injection breaks out of the echo command's quotation, allowing arbitrary commands to be executed on the server.