RCE Vulnerability Concerns
The cluster centers on debates about remote code execution (RCE) risks in software tools and clients that process untrusted input without proper sandboxing or mitigations, often referencing CVEs and potential exploits like arbitrary code execution from console output or file parsing.
Activity Over Time
Top Contributors
Keywords
Sample Comments
It's bad if it's susceptible to running an attacker's arbitrary code.
Your response entirely fails to address the parent's concern about security. It's like responding to a RCE in your backend with "yeah it's there but we'll trust the users to not use it"
This is like when `strings' was found to be vulnerable to code execution because it was parsing ELF files.
You don't even need to run something untrusted, just compromised console output is enough (from server logs, for example they mention python -m http.server)
it's a valid question! From the github the author writes "Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers."
Like the ‘zeroday vulnerability’ of users pasting commands into a prompt.
I can't wait for this to accidentally become a vector for an RCE... :)
Can this be exploited for malicious code?
It is plain surprising to see this gets a CVE. What is the next exploit? Calling `system(program)`?
Yes, my concern is that this functionality is baked into the client and is at a high risk of being executable remotely.