CVE-2025-50946

Published Aug 13, 2025

Last updated 7 months ago

CVSS medium 6.5

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-50946 describes an OS command injection vulnerability identified in `github.com/olivetin/olivetin`. The flaw resides within the `ParseRequestURI` function, located in `service/internal/executor/arguments.go`. This vulnerability allows an attacker to execute arbitrary operating system commands on the affected system. The root cause of this issue is insufficient validation of URL-type arguments. Specifically, the `typeSafetyCheckUrl` function, which uses `url.ParseRequestURI`, permits characters such as semicolons that can be leveraged to chain commands in a shell. By crafting a malicious URI, a remote attacker can exploit this weakness to inject and execute commands without requiring authentication.

Description
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
Source
cve@mitre.org
NVD status
Analyzed
Products
olivetin

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
2.5
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-78

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. Your latest Dragon Drop has landed, and this time, we have four high-impact CVE labs now live across Learn One, PG Practice, and Learn Enterprise. 🔥 CVE-2024-32880: SSTI in PyLoad 0.5.0.0. 🔗 https://t.co/xtr5nFI3Na 🔥 CVE-2025-50946: Misconfigured OliveTin exploitation.

    @offsectraining

    6 May 2026

    4892 Impressions

    4 Retweets

    60 Likes

    27 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.CVE-2026-32102
  2. OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2.CVE-2026-31817
  3. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.CVE-2026-30233
  4. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1.CVE-2026-30225
  5. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.CVE-2026-30224

References

Sources include official advisories and independent security research.