8421bit MiniClaw OS Command Injection Vulnerability in Heartbeat Function
Vulnerability
A critical OS command injection vulnerability has been identified in 8421bit MiniClaw versions prior to the latest release. The issue resides in the 'executeCognitivePulse' function within 'src/kernel.ts', where unsanitized input from 'HEARTBEAT.md' is used to construct shell commands. This vulnerability allows remote execution of arbitrary OS commands. The flaw has been publicly disclosed and exploited.
Impact
Exploitation of this vulnerability allows for arbitrary OS command execution under the application's privileges.
Reproduction
To reproduce this vulnerability, overwrite the 'HEARTBEAT.md' file with a command injection payload, such as a command to create a file in the '/tmp' directory. After the payload is injected, either wait for the scheduled heartbeat task to execute or manually trigger the 'executeCognitivePulse' function. The injected command will be executed, confirming the successful exploitation of the vulnerability.
Remediation
Users are advised to update to the latest version of MiniClaw, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.