प्लेटफ़ॉर्म
nodejs
घटक
@siteboon/claude-code-ui
में ठीक किया गया
1.24.1
1.24.0
CVE-2026-31861 describes a Command Injection vulnerability discovered in the @siteboon/claude-code-ui Node.js package. This flaw allows attackers to execute arbitrary operating system commands through the /api/user/git-config endpoint, potentially leading to severe consequences such as data exfiltration and complete system compromise. The vulnerability impacts versions before 1.24.0 and requires JWT authentication, which may be bypassable. A fix is available in version 1.24.0.
The vulnerability lies within the /api/user/git-config endpoint, which constructs shell commands using user-supplied gitName and gitEmail values. Insufficient sanitization of these inputs allows an attacker to inject arbitrary commands into the shell execution. Successful exploitation could grant an attacker full control over the underlying server, enabling them to read sensitive files, modify system configurations, install malware, or pivot to other systems on the network. The CVSS score of 8.8 (High) highlights the significant risk, especially considering the potential for authentication bypass. This vulnerability shares similarities with other OS command injection flaws where improper input validation leads to arbitrary code execution.
CVE-2026-31861 was publicly disclosed on 2026-03-10. The vulnerability requires JWT authentication, but the description mentions a potential bypass (VULN-01), which could significantly lower the barrier to exploitation. Currently, there are no publicly available exploits, but the high CVSS score and relatively straightforward nature of command injection suggest a high probability of exploitation if a bypass is found. Monitor security advisories and threat intelligence feeds for updates.
Organizations using @siteboon/claude-code-ui in their Node.js applications, particularly those relying on JWT authentication for access control, are at risk. Development teams using this package in CI/CD pipelines or automated deployment systems are also vulnerable if they haven't implemented robust input validation. Shared hosting environments where multiple applications share the same server are especially susceptible, as a compromise of one application could lead to the compromise of others.
• nodejs / server:
ps aux | grep '/api/user/git-config' | grep -i 'gitName'| grep -i 'gitEmail'• nodejs / server:
journalctl -u your-node-app -g 'api/user/git-config' --since "1 hour ago"• generic web:
curl -I 'your-server.com/api/user/git-config?gitName=;ls' # Check for command execution in response headersdisclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.05% (16% शतमक)
CISA SSVC
The primary mitigation is to immediately upgrade to @siteboon/claude-code-ui version 1.24.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. First, strictly validate and sanitize all user-supplied input to the /api/user/git-config endpoint, ensuring that gitName and gitEmail contain only expected characters. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious shell command characters. Review and restrict the permissions of the user account running the Node.js application to minimize the impact of a successful exploit. Monitor system logs for unusual command executions or suspicious activity related to the /api/user/git-config endpoint.
Actualice Cloud CLI a la versión 1.24.0 o superior. Esta versión corrige la vulnerabilidad de inyección de comandos shell. La actualización se puede realizar descargando la última versión desde el sitio web oficial o utilizando el gestor de paquetes correspondiente.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-31861 is a Command Injection vulnerability in the @siteboon/claude-code-ui Node.js package, allowing attackers to execute arbitrary OS commands through the /api/user/git-config endpoint.
You are affected if you are using @siteboon/claude-code-ui versions prior to 1.24.0 and the /api/user/git-config endpoint is accessible.
Upgrade to @siteboon/claude-code-ui version 1.24.0 or later. Implement input validation and WAF rules as temporary mitigations.
While no public exploits are currently known, the high CVSS score and potential for authentication bypass suggest a high probability of exploitation.
Refer to the @siteboon/claude-code-ui project's repository or website for the official advisory and release notes.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।