Dokploy Command Injection Vulnerability in WebSocket Endpoint Allowing Remote Code Execution

A command injection vulnerability has been identified in Dokploy versions through 0.26.6. This issue resides in the '/docker-container-logs' WebSocket endpoint, where the 'tail' and 'since' parameters are improperly validated. Authenticated users can exploit this flaw by injecting commands that are executed with root privileges. The vulnerability arises because the parameters are directly concatenated into shell commands without any validation, allowing for arbitrary command execution.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands as root, potentially leading to full system compromise. Additionally, there is a risk of escaping from the Docker container, as the Docker socket is mounted.

Reproduction

To reproduce this vulnerability, connect to the '/docker-container-logs' WebSocket endpoint with an authenticated session. Send a payload that includes a command injection in the 'tail' parameter, such as '10; whoami; #'. The injected command will be executed with root privileges, and the response can be read from the WebSocket connection.

Remediation

Users can block the vulnerable WebSocket endpoint using Nginx or restrict access to the internal network. A patch will be included in Dokploy version 0.26.7.