Description
The DevShell/BashManager application provides core functionality to execute arbitrary bash scripts and commands via endpoints such as /api/exec and /api/scripts/run. Because the server runs locally on the developer's machine (e.g., http://127.0.0.1:5000) and lacks any authentication or authorization mechanisms, it implicitly trusts all incoming requests.
Furthermore, the application does not implement Cross-Site Request Forgery (CSRF) protections, such as:
- Anti-CSRF tokens
SameSite cookie enforcement (applicable if authentication was present)- Strict
Origin or Host header validation
Impact
If a developer running this application visits a malicious website, an attacker can leverage CSRF (via hidden forms, fetch requests, or text/plain POST payloads that bypass simple CORS preflights) or DNS Rebinding (by pointing a malicious domain to 127.0.0.1) to send unauthorized requests to the local server.
Because the API endpoints natively execute commands on the host, this directly leads to Unauthenticated Remote Code Execution (RCE). The attacker gains the ability to execute arbitrary commands with the privileges of the user running the DevShell, potentially leading to total system compromise, data exfiltration, or installation of malware.
Affected Endpoints
POST /api/execPOST /api/scripts/runPOST /api/scripts/save- Any other state-modifying API endpoint that lacks header/Origin validation.
Description
The DevShell/BashManager application provides core functionality to execute arbitrary bash scripts and commands via endpoints such as
/api/execand/api/scripts/run. Because the server runs locally on the developer's machine (e.g.,http://127.0.0.1:5000) and lacks any authentication or authorization mechanisms, it implicitly trusts all incoming requests.Furthermore, the application does not implement Cross-Site Request Forgery (CSRF) protections, such as:
SameSitecookie enforcement (applicable if authentication was present)OriginorHostheader validationImpact
If a developer running this application visits a malicious website, an attacker can leverage CSRF (via hidden forms,
fetchrequests, ortext/plainPOST payloads that bypass simple CORS preflights) or DNS Rebinding (by pointing a malicious domain to127.0.0.1) to send unauthorized requests to the local server.Because the API endpoints natively execute commands on the host, this directly leads to Unauthenticated Remote Code Execution (RCE). The attacker gains the ability to execute arbitrary commands with the privileges of the user running the DevShell, potentially leading to total system compromise, data exfiltration, or installation of malware.
Affected Endpoints
POST /api/execPOST /api/scripts/runPOST /api/scripts/save