Summary
- There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
- Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.
Both vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though I have not tested that).
Details
- The XSS vulnerability is here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887 Specifically, the name parameter is inserted into the pages breadcrumbs without sanitization.
- The Command Injection happens here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382
PoC
- A minimal PoC for the XSS can be as simple as: http://localhost:3000/admin/edit-codepage/%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%0A (assuming saltcorn running at localhost:3000 and the user having an active admin session)
- For the Command Injection, visit the backup section of saltcorn, set an admin password like
";$(whoami);"(including the quotation marks) and then click "Download a backup" in the "Manual backup" section. This should display an error page saying that /bin/sh could not find the binary named "root" or "saltcorn", depending on the user.
An example of an exploit that chains both vulnerabilities and generates the aforementioned malicious link:
exploit.zip
Affected Versions
Edit: The following Docker containers from docker hub were tested: 1.4.1, 1.4.0, 1.3.1, 1.3.0, 1.2.0, 1.1.2, 1.1.1, 1.0.0
The Command Injection is applicable to versions >= 1.3.0.
The XSS is applicable to versions >= 1.1.1
Impact
Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command. Typical impact: arbitrary command execution in the application's environment.
GHSA-CR3W-CW5W-H3FJ has a CVSS score of 9.6 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.5.0-beta.19); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-CR3W-CW5W-H3FJ? GHSA-CR3W-CW5W-H3FJ is a critical-severity command injection vulnerability in @saltcorn/server (npm), affecting versions >= 1.1.1, < 1.5.0-beta.19. It is fixed in 1.5.0-beta.19. Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command.
- How severe is GHSA-CR3W-CW5W-H3FJ? GHSA-CR3W-CW5W-H3FJ has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @saltcorn/server are affected by GHSA-CR3W-CW5W-H3FJ? @saltcorn/server (npm) versions >= 1.1.1, < 1.5.0-beta.19 is affected.
- Is there a fix for GHSA-CR3W-CW5W-H3FJ? Yes. GHSA-CR3W-CW5W-H3FJ is fixed in 1.5.0-beta.19. Upgrade to this version or later.
- Is GHSA-CR3W-CW5W-H3FJ exploitable, and should I be worried? Whether GHSA-CR3W-CW5W-H3FJ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-CR3W-CW5W-H3FJ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-CR3W-CW5W-H3FJ? Upgrade
@saltcorn/serverto 1.5.0-beta.19 or later.