Skip to content

fix: RCE vulnerability from CVE-2025-11953#2735

Closed
thymikee wants to merge 3 commits intomainfrom
fix/rce
Closed

fix: RCE vulnerability from CVE-2025-11953#2735
thymikee wants to merge 3 commits intomainfrom
fix/rce

Conversation

@thymikee
Copy link
Member

@thymikee thymikee commented Nov 12, 2025
edited
Loading

Summary

Continuation of the fix that landed in 1508990, that prevents RCE using a spoofed URL with | character, such as: https://evil.com?|calc.exe.

cc @633kh4ck @mbaraniak-exodus

@thymikee thymikee requested a review from huntie November 12, 2025 07:45
@mbaraniak-exodus
Copy link

mbaraniak-exodus commented Nov 12, 2025

@thymikee,
The fix seems reasonable, unless you switch in the future to a new version of open, which uses PS underneath. Then you will need escape also $ (, etc.
Be aware of (non-default) delayed expansion, which will make such syntax possible !VAR!

633kh4ck
633kh4ck reviewed Nov 12, 2025
View reviewed changes
packages/cli-server-api/src/openURLMiddleware.ts
}

// Reconstruct URL with proper encoding to prevent command injection
// The URL constructor doesn't automatically encode special characters like | in query strings,
Copy link

@633kh4ck 633kh4ck Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be specific, it encodes special characters, but only sets of them in each URL part 1. For example, | is encoded in userinfo:

new URL('https://user|:pass@example.com')`
// https://user%7C:pass@example.com/

Current implementation double-encodes several characters for that reason; for example, whitespaces:

const parsedUrl = new URL('https://example.com/?#some hash')
// https://example.com/?#some%20hash
const sanitizedUrl = new URL(parsedUrl.origin);
// ...
console.log(sanitizedUrl.href)
// https://example.com/#some%2520hash

A simpler approach could be:

const sanitizedUrl = encodeURI(url);

Footnotes

  1. https://url.spec.whatwg.org/#percent-encoded-bytes

633kh4ck
633kh4ck reviewed Nov 12, 2025
View reviewed changes
packages/cli-server-api/src/__tests__/openURLMiddleware.test.ts
jest.restoreAllMocks();
});

it('should sanitize URL with pipe character to prevent RCE', async () => {
Copy link

@633kh4ck 633kh4ck Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to also test for <, >, `, and 1 (don't confuse with | 2).

Footnotes

  1. https://worst.fit/mapping/#to%3A0x7c

  2. https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

@633kh4ck
Copy link

633kh4ck commented Nov 12, 2025
edited
Loading

For posterity: this is likely still fragile, but better than it was.

On a side note, this can (still) be exploited to exfiltrate some environment variables; possibilities are more limited, though. For example, https://example.com/?a=%¾TA% is encoded to https://example.com/?a=%25%C2%BETA%25 (note %BETA%).

@m01e-40x
Copy link

m01e-40x commented Jan 22, 2026

@thymikee hi,
may I ask why this fix PR has not been merged into the main branch and the latest release version?

@thymikee
Copy link
Member Author

thymikee commented Jan 22, 2026

Uh, I wanted to followup with a more robust fix, but then forgot about it. I'll try to prioritize this soon. Maintaining Community CLI is not my primary focus and anyone is free to contribute

Copilot AI mentioned this pull request Jan 27, 2026
Merged
@huntie
Copy link
Collaborator

huntie commented Jan 27, 2026

@thymikee Opened #2758 as an alternative. Uses strict-url-sanitise and continues to cover logic with our own unit tests.

@thymikee
Copy link
Member Author

thymikee commented Jan 28, 2026

Thank you @huntie, let's move the discussion there!

@thymikee thymikee closed this Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szymonrybczak szymonrybczak szymonrybczak approved these changes

@huntie huntie Awaiting requested review from huntie

+1 more reviewer

@633kh4ck 633kh4ck 633kh4ck left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@thymikee @mbaraniak-exodus @633kh4ck @m01e-40x @huntie @szymonrybczak