![CVE](https://img.shields.io/badge/CVE-2026--45152-red) # CVE-2026-45152 — uniget Command Injection via Unsafe `tool.Check` Execution > CVE-2026-45152 has been officially published by GitHub Security Advisories. ## Overview A command injection vulnerability exists in uniget due to unsafe execution of the `check` field from metadata files using `/bin/bash -c`. Because the `check` field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system. **CVE ID:** CVE-2026-45152 **Affected Version:** uniget CLI ≤ 0.27.0 **Fixed In:** uniget CLI 0.27.1 **Severity:** High **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command) --- ## Description The vulnerability exists in the `RunVersionCheck()` function, where uniget executes the `tool.Check` field using `/bin/bash -c`. Because metadata files are parsed directly into the `Tool` structure using `json.Unmarshal()`, attacker-controlled input can reach the shell execution sink without validation. The following vulnerable pattern was identified: ```go cmd := exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'") ``` Since `/bin/bash -c` interprets shell metacharacters such as `;`, `&&`, `|`, `$()`, and backticks, arbitrary shell commands may be injected and executed. --- ## Impact An attacker processing malicious metadata may be able to: * Execute arbitrary shell commands * Exfiltrate sensitive files or environment variables * Install malware or backdoors * Modify or delete accessible files * Establish persistence on the victim machine * Compromise CI/CD environments using uniget automation Commands execute with the privileges of the user running uniget. --- ## Preconditions * The victim must process attacker-controlled metadata files. * The vulnerable uniget version must invoke the `tool.Check` field through `/bin/bash -c`. * The attacker must be able to supply malicious metadata containing shell metacharacters. --- ## Workarounds * Avoid using `/bin/bash -c` with untrusted input. * Sanitize or strictly validate metadata fields before execution. * Execute fixed binaries and arguments directly without invoking a shell. * Run uniget in isolated or low-privilege environments when processing untrusted metadata. --- ## References * https://github.com/uniget-org/cli/security/advisories/GHSA-qqq4-5773-pmw5 --- ## Discoverer **Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))