CVE-2026-31862

Description

### Summary Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. ### Details The claudecodeui application provides Git integration through various API endpoints. These endpoints accept user-controlled parameters such as file paths, branch names, commit messages, and commit hashes, which are directly interpolated into shell command strings passed to execAsync(). The application attempts to escape double quotes in some parameters, but this protection is trivially bypassable using other shell metacharacters such as: Command substitution: $(command) or \`command\` Command chaining: ;, &&, || Newlines and other control characters ### Affected Endpoints `GET /api/git/diff - file parameter` `GET /api/git/status - file parameter` `POST /api/git/commit - files array and message parameter` `POST /api/git/checkout - branch parameter` `POST /api/git/create-branch - branch parameter` `GET /api/git/commits - commit hash parameter` `GET /api/git/commit-diff - commit parameter` ### Vulnerable Code File: server/routes/git.js ``` // Line 205 - git status with file parameter const { stdout: statusOutput } = await execAsync( `git status --porcelain "${file}"`, // INJECTION via file { cwd: projectPath } ); ``` ``` // Lines 375-379 - git commit with files array and message for (const file of files) { await execAsync(`git add "${file}"`, { cwd: projectPath }); // INJECTION via files[] } const { stdout } = await execAsync( `git commit -m "${message.replace(/"/g, '\\"')}"`, // INJECTION via message (bypass with $()) { cwd: projectPath } ); ``` ``` // Lines 541-543 - git show with commit parameter (no quotes!) const { stdout } = await execAsync( `git show ${commit}`, // INJECTION via commit { cwd: projectPath } ); ``` ### Impact - Remote Code Execution as the Node.js process user - Full server compromise - Data exfiltration - Supply chain attacks - modify committed code to inject malware --- ### Fix **Commit:** siteboon/claudecodeui@55567f4 #### Root cause remediation All vulnerable `execAsync()` calls have been replaced with the existing `spawnAsync()` helper (which uses `child_process.spawn` with `shell: false`). Arguments are passed as an array directly to the OS — shell metacharacters in user input are inert. **Endpoints patched in `server/routes/git.js`:** - `GET /api/git/diff` — `file` (4 calls) - `GET /api/git/file-with-diff` — `file` (3 calls) - `POST /api/git/commit` — `files[]`, `message` - `POST /api/git/checkout` — `branch` - `POST /api/git/create-branch` — `branch` - `GET /api/git/commits` — `commit.hash` - `GET /api/git/commit-diff` — `commit` - `POST /api/git/generate-commit-message` — `file` - `POST /api/git/discard` — `file` (3 calls) - `POST /api/git/delete-untracked` — `file` - `POST /api/git/publish` — `branch` A strict allowlist regex (`/^[0-9a-f]{4,64}$/i`) was also added to validate the `commit` parameter in `/api/git/commit-diff` before it reaches the git process. #### Before / After ```js // BEFORE — shell interprets the string, injection possible const { stdout } = await execAsync(`git show ${commit}`, { cwd: projectPath }); // AFTER — no shell, args passed directly to the process const { stdout } = await spawnAsync('git', ['show', commit], { cwd: projectPath }); ```

Description

How to fix CVE-2026-31862

Is CVE-2026-31862 being exploited?

Affected packages (1)

CVSS scores

References (4)