Platform
go
Component
github.com/zalando/skipper
Fixed in
0.23.1
0.23.0
Skipper, a Go-based API gateway, is vulnerable to arbitrary code execution (RCE) due to insecure handling of Lua filters. This vulnerability allows an attacker to inject and execute malicious code through crafted filter configurations, potentially leading to complete system compromise. Versions 0.22.x and below are affected; upgrading to version 0.23.0 resolves the issue.
The RCE vulnerability in Skipper arises from the lack of proper sanitization and validation of Lua filter input. An attacker who can control or modify the filter configuration can inject arbitrary Lua code. This code will be executed with the privileges of the Skipper process, granting the attacker the ability to read, write, and execute files on the system. Successful exploitation could lead to data exfiltration, denial of service, or even complete takeover of the server hosting Skipper. The impact is particularly severe in environments where Skipper is used to proxy sensitive traffic or manage critical APIs.
CVE-2026-23742 was publicly disclosed on 2026-02-03. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The probability of exploitation is currently assessed as medium, given the RCE nature of the vulnerability and the potential for attackers to develop exploits.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Skipper to version 0.23.0 or later, which includes the necessary fixes to prevent arbitrary code execution. If upgrading immediately is not possible, consider temporarily disabling Lua filters entirely. This can be achieved by removing or commenting out any filter configurations that utilize Lua. As a further precaution, implement strict input validation and sanitization for all filter configurations. Monitor Skipper logs for any suspicious activity related to Lua filter execution. Consider using a Web Application Firewall (WAF) to filter out potentially malicious Lua code.
Update Skipper to version 0.23.0 or higher. This version addresses the vulnerability that allows arbitrary code execution through Lua filters. Ensure you review your Lua filter configuration to prevent the execution of untrusted code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23742 is a Remote Code Execution vulnerability in Skipper versions 0.22.x and below, allowing attackers to execute arbitrary code through Lua filters.
You are affected if you are using Skipper versions 0.22.x or earlier and are utilizing Lua filters. Upgrade to 0.23.0 or later to mitigate the risk.
Upgrade Skipper to version 0.23.0 or later. If immediate upgrade is not possible, disable Lua filters until you can upgrade.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the official Skipper GitHub repository and release notes for the latest information and security advisories: https://github.com/zalando/skipper
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.