Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.
AnalysisAI
Remote code execution in Evolver versions before 1.69.3 allows unauthenticated network attackers to execute arbitrary shell commands via command injection in the _extractLLM() function. Attackers exploit unsanitized corpus parameters passed to execSync() through string concatenation in a curl command, achieving full system compromise. GitHub security advisory GHSA-j5w5-568x-rq53 confirms the vulnerability with proof-of-concept demonstrating shell command substitution bypass. CVSS score of 9.8 reflects no authentication or user interaction requirements. No CISA KEV listing or EPSS data provided, suggesting exploitation status remains uncertain beyond confirmed POC availability.
Technical ContextAI
Evolver is a GEP (Genetic Expression Programming)-powered self-evolving engine for AI agents, implemented in Node.js. The vulnerability exists in src/gep/signals.js lines 260-274 within the _extractLLM() function, which constructs HTTP requests to a GEP hub endpoint. The function uses Node.js child_process.execSync() to execute a curl command built via string concatenation, incorporating the corpus parameter derived from user input through extractSignals() function processing. While the code applies JSON.stringify() to escape some characters and uses single-quote escaping, these protections fail against shell command substitution syntax like $(command) or backticks. The vulnerable code path begins in src/gep/evolver.js main evolution loop, processing user snippets and session transcripts, flowing through extractSignals() into _extractLLM() without intermediate sanitization. This represents CWE-78 (OS Command Injection) - a neutralization failure where external input influences command construction without proper input validation or use of parameterized APIs. The affected package cpe:2.3:a:evomap:evolver targets npm/@evomap/evolver JavaScript library deployments.
RemediationAI
Upgrade immediately to Evolver version 1.69.3 or later, available via npm update @evomap/evolver or from GitHub release https://github.com/EvoMap/evolver/releases/tag/v1.69.3. The patched version replaces execSync()-based curl execution with native Node.js HTTPS libraries that use parameterized APIs immune to shell injection. If immediate upgrade is blocked by compatibility testing, implement these compensating controls with noted trade-offs: (1) Input validation - reject corpus parameters containing shell metacharacters $(){}`;|&<> using allowlist-only validation, though this may break legitimate AI agent processing of code snippets or technical content. (2) Network isolation - restrict GEP hub connectivity to internal-only endpoints via firewall rules, preventing external attackers from triggering the vulnerable code path, but disabling cloud-based GEP functionality. (3) Process sandboxing - run Evolver engine in containerized environment with minimal privileges using seccomp profiles blocking execve() syscalls, reducing post-exploitation impact but not preventing initial code execution. (4) Remove GEP extraction - disable extractSignals() function calls in src/gep/evolver.js evolution loop if LLM-powered signal extraction is non-critical, eliminating the attack surface entirely at cost of reduced AI agent capabilities. Verify patch application by confirming execSync() no longer appears in src/gep/signals.js or that curl commands use shell-safe argument arrays rather than concatenated strings.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27009
GHSA-j5w5-568x-rq53