平台
go
组件
github.com/zalando/skipper
修复版本
0.23.1
0.23.0
Skipper, a Go-based API gateway, is vulnerable to arbitrary code execution (RCE) due to insecure handling of Lua filters. This vulnerability allows an attacker to inject and execute malicious code through crafted filter configurations, potentially leading to complete system compromise. Versions 0.22.x and below are affected; upgrading to version 0.23.0 resolves the issue.
The RCE vulnerability in Skipper arises from the lack of proper sanitization and validation of Lua filter input. An attacker who can control or modify the filter configuration can inject arbitrary Lua code. This code will be executed with the privileges of the Skipper process, granting the attacker the ability to read, write, and execute files on the system. Successful exploitation could lead to data exfiltration, denial of service, or even complete takeover of the server hosting Skipper. The impact is particularly severe in environments where Skipper is used to proxy sensitive traffic or manage critical APIs.
CVE-2026-23742 was publicly disclosed on 2026-02-03. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The probability of exploitation is currently assessed as medium, given the RCE nature of the vulnerability and the potential for attackers to develop exploits.
Organizations using Skipper as an API gateway, particularly those relying on Lua filters for request modification or routing, are at risk. Environments with limited security controls or those running older, unpatched versions of Skipper are especially vulnerable. Shared hosting environments where multiple users share the same Skipper instance could also be affected.
• go / process monitoring: Use ps aux | grep skipper to identify running Skipper processes. Monitor their resource usage for unusual spikes.
ps aux | grep skipper• go / file integrity: Check the integrity of Skipper's binary and configuration files using checksums. Compare against known good values.
mdfsum /usr/local/bin/skipper /etc/skipper/skipper.yaml• generic web / request inspection: Examine incoming requests to Skipper for unusual Lua filter parameters or payloads. Look for patterns indicative of code injection attempts. • generic web / log analysis: Review Skipper's access and error logs for any errors or warnings related to Lua filter execution. Search for keywords like 'lua', 'error', and 'filter'.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade Skipper to version 0.23.0 or later, which includes the necessary fixes to prevent arbitrary code execution. If upgrading immediately is not possible, consider temporarily disabling Lua filters entirely. This can be achieved by removing or commenting out any filter configurations that utilize Lua. As a further precaution, implement strict input validation and sanitization for all filter configurations. Monitor Skipper logs for any suspicious activity related to Lua filter execution. Consider using a Web Application Firewall (WAF) to filter out potentially malicious Lua code.
Actualice Skipper a la versión 0.23.0 o superior. Esta versión corrige la vulnerabilidad que permite la ejecución de código arbitrario a través de filtros Lua. Asegúrese de revisar la configuración de sus filtros Lua para evitar la ejecución de código no confiable.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-23742 is a Remote Code Execution vulnerability in Skipper versions 0.22.x and below, allowing attackers to execute arbitrary code through Lua filters.
You are affected if you are using Skipper versions 0.22.x or earlier and are utilizing Lua filters. Upgrade to 0.23.0 or later to mitigate the risk.
Upgrade Skipper to version 0.23.0 or later. If immediate upgrade is not possible, disable Lua filters until you can upgrade.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the official Skipper GitHub repository and release notes for the latest information and security advisories: https://github.com/zalando/skipper
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。