luci-app-https-dns-proxy Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing authenticated users to execute arbitrary commands as root has been identified in luci-app-https-dns-proxy versions through 2025.12.29-5. This vulnerability exists in the setInitAction function, where users can inject shell metacharacters into the 'name' parameter of a ubus RPC call. The issue affects only installations that have opted for the luci-app-https-dns-proxy package, distributed via the OpenWrt community packages feed. Core OpenWrt installations are not vulnerable.

Impact

Exploitation of this vulnerability allows for authenticated users to gain root access on the affected device by executing arbitrary commands with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user with the luci.https-dns-proxy ACL permission can send a ubus RPC call to the 'luci.https-dns-proxy' service, specifically targeting the 'setInitAction' function. The 'name' parameter must be crafted to include shell metacharacters, which will be interpreted by the system shell. Once the payload is executed, the injected command will run with root privileges, leading to unauthorized access or modifications on the device.