Skip to content

fix: RCE vulnerability from CVE-2025-11953 #2735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: RCE vulnerability from CVE-2025-11953 #2735

wants to merge 3 commits into from
+170 −8

Conversation

@thymikee
Copy link
Member

@thymikee thymikee commented Nov 12, 2025
edited
Loading

Summary

Continuation of the fix that landed in 1508990, that prevents RCE using a spoofed URL with | character, such as: https://evil.com?|calc.exe.

cc @633kh4ck @mbaraniak-exodus

@thymikee thymikee requested a review from huntie November 12, 2025 07:45
@mbaraniak-exodus
Copy link

mbaraniak-exodus commented Nov 12, 2025

@thymikee,
The fix seems reasonable, unless you switch in the future to a new version of open, which uses PS underneath. Then you will need escape also $ (, etc.
Be aware of (non-default) delayed expansion, which will make such syntax possible !VAR!

633kh4ck
633kh4ck reviewed Nov 12, 2025
View reviewed changes
packages/cli-server-api/src/openURLMiddleware.ts
}

// Reconstruct URL with proper encoding to prevent command injection
// The URL constructor doesn't automatically encode special characters like | in query strings,
Copy link

@633kh4ck 633kh4ck Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be specific, it encodes special characters, but only sets of them in each URL part 1. For example, | is encoded in userinfo:

new URL('https://user|:[email protected]')`
// https://user%7C:[email protected]/

Current implementation double-encodes several characters for that reason; for example, whitespaces:

const parsedUrl = new URL('https://example.com/?#some hash')
// https://example.com/?#some%20hash
const sanitizedUrl = new URL(parsedUrl.origin);
// ...
console.log(sanitizedUrl.href)
// https://example.com/#some%2520hash

A simpler approach could be:

const sanitizedUrl = encodeURI(url);

Footnotes

  1. https://url.spec.whatwg.org/#percent-encoded-bytes

633kh4ck
633kh4ck reviewed Nov 12, 2025
View reviewed changes
packages/cli-server-api/src/__tests__/openURLMiddleware.test.ts
jest.restoreAllMocks();
});

it('should sanitize URL with pipe character to prevent RCE', async () => {
Copy link

@633kh4ck 633kh4ck Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to also test for <, >, `, and 1 (don't confuse with | 2).

Footnotes

  1. https://worst.fit/mapping/#to%3A0x7c

  2. https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

@633kh4ck
Copy link

633kh4ck commented Nov 12, 2025

This is likely still fragile, but better than it was.

On a side note, this can (still) be exploited to exfiltrate some environment variables; possibilities are more limited, though. For example, https://example.com/?a=%¾TA% is encoded to https://example.com/?a=%25%C2%BETA%25 (note %BETA%).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szymonrybczak szymonrybczak szymonrybczak approved these changes

@huntie huntie Awaiting requested review from huntie

+1 more reviewer

@633kh4ck 633kh4ck 633kh4ck left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thymikee @mbaraniak-exodus @633kh4ck @szymonrybczak