## Critical Shell Injection in aios.js: execSync Template String Enables Remote Code Execution A critical shell injection vulnerability has been identified in the `bin/aios.js` script, exposing systems to potential remote code execution (RCE). The flaw resides on line 15, where the `execSync` function uses a template string to construct a PowerShell command. This construction method allows an attacker to inject arbitrary shell commands if the `setupPath` variable contains special characters like spaces, quotes, or semicolons. The risk is compounded by the use of the `-ExecutionPolicy Bypass` flag, which completely disables PowerShell's native security mechanisms on Windows, creating a severe threat in multi-user environments. The vulnerability stems from two primary issues. First, the insecure concatenation of user-influenced input (`setupPath`) directly into a shell command string creates a classic injection vector. Second, the policy bypass flag removes a critical layer of defense, making exploitation trivial. The provided fix demonstrates the correct mitigation: replacing `execSync` with `spawnSync` and passing arguments as a secure array, while downgrading the execution policy to the more restrictive `RemoteSigned`. The impact is direct and severe: full RCE if the `setupPath` variable can be manipulated by an attacker. This could occur through various attack vectors, including compromised dependencies, malicious package uploads, or environment manipulation. The bypass of Windows security policy further lowers the barrier to exploitation, turning a local code execution bug into a potential system-wide compromise. This vulnerability highlights the persistent dangers of improper command execution in Node.js tooling and the critical importance of secure argument handling. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: security, vulnerability, shell-injection, nodejs, powershell - **Credibility**: unverified - **Published**: 2026-03-28 10:27:03 - **ID**: 38936 - **URL**: https://whisperx.ai/en/intel/38936