EUVD-2025-19716
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
3Tags
Description
An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.
Analysis
Maltrail network traffic analysis tool versions through 0.54 contain an unauthenticated OS command injection via the username parameter in POST requests to the /login endpoint. The input is passed to subprocess.check_output() without sanitization, enabling remote code execution on the security monitoring server.
Technical Context
The /login endpoint passes the username parameter to subprocess.check_output() for logging purposes without sanitization. An attacker can inject shell commands through the username field that execute on the Maltrail server. The tool typically runs with elevated privileges for network packet capture.
Affected Products
['Maltrail <= 0.54']
Remediation
Update Maltrail beyond 0.54. Use parameterized subprocess calls with shell=False. Restrict login endpoint access. Run Maltrail with minimal privileges separate from the capture interface.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today