## GCP Cloud Driver Exposes HIGH-Severity Command Injection Risk in Critical Function
A high-severity command injection vulnerability has been identified within a core Google Cloud Platform (GCP) driver script. The flaw resides in the `_gcp_exec_long` function in the file `sh/e2e/lib/clouds/gcp.sh`, where a critical oversight in command construction could allow an attacker to execute arbitrary shell commands. This is not a theoretical risk; the specific code pattern is demonstrably unsafe, creating a direct path for exploitation if an attacker can influence the command input.

The vulnerability occurs on lines 186-192. While the function base64-encodes commands to prevent shell injection, it fatally embeds the encoded command within a double-quoted string passed to SSH. The command `"timeout ${timeout} bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\""` interpolates the `${encoded_cmd}` variable directly. If this variable contains characters like backticks or command substitution syntax (`$( )`), they could be interpreted by the shell *before* the base64 decode executes, bypassing the intended security layer. This design flaw exposes a critical attack vector in a component responsible for remote command execution on GCP instances.

This vulnerability places any system or pipeline utilizing this driver at immediate risk. The impact is potential full command injection, granting an attacker the same privileges as the script's execution context. The recommended mitigations are urgent: pass the encoded command via SSH stdin instead of the command line, use SSH's `-T` flag with piping, or enforce single quotes around the entire remote command to prevent local variable interpolation. Until patched, this flaw represents a significant security gap in GCP automation and testing workflows.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, GCP, command injection, cloud
- **Credibility**: unverified
- **Published**: 2026-03-26 22:27:20
- **ID**: 36176
- **URL**: https://whisperx.ai/en/intel/36176