Dokploy Command Injection Vulnerability in Registry Deletion Function

A command injection vulnerability has been identified in Dokploy versions through 0.29.0. The issue arises in the deleteRegistry function, located in packages/server/src/services/registry.ts. Here, the docker logout command is executed with a registry URL that is not properly escaped, allowing for the injection of arbitrary commands. This vulnerability contrasts with the docker login command in the same file, which correctly uses shEscape() to prevent such injections. The flaw can be exploited by an authenticated user with registry management permissions, who can craft a registry URL containing shell metacharacters to execute commands on the Dokploy host.

Impact

Exploitation of this vulnerability allows for remote code execution on the Dokploy server. This could lead to a complete compromise of the server and all applications hosted on it. Additionally, access to the Docker daemon could enable an attacker to escape from a container and compromise the host system.

Reproduction

To reproduce this vulnerability, first create a Docker registry with a malicious URL that includes shell metacharacters, such as a semicolon followed by a command (e.g., '; id > /tmp/pwned #'). After the registry is created, delete it using the registry.remove API endpoint. This action will trigger the docker logout command with the injected URL, executing the appended command on the server.