## Critical Command Injection in Admin Logs Endpoint Exposes Server to Arbitrary Shell Execution A critical security vulnerability has been patched in a web application's administrative interface, where a command injection flaw allowed attackers to execute arbitrary shell commands on the underlying server. The exposure stemmed from the `/api/admin/logs` endpoint, which used the `exec()` function to read log files but directly interpolated a user-supplied filename parameter into the shell command without any sanitization. This design flaw meant an attacker could inject malicious commands—such as `'app.log; rm -rf /'`—by manipulating the filename, effectively gaining the ability to delete files, exfiltrate data, or take full control of the system. The vulnerability was located in the `src/routes/admin.js` file and classified as a critical failure in input validation and sanitization. The endpoint's reliance on `exec()` with template literal interpolation created a direct pipeline from user input to the system shell. The fix, automatically generated by a tool named Remediator, involved replacing the dangerous `exec()` call with the safer `fs.readFile()` function. The remediation also mandates validating the filename against a strict whitelist of allowed characters and using `path.resolve()` combined with `path.basename()` to prevent any potential directory traversal attacks alongside the command injection. This incident underscores the severe risks of improperly handling user input in administrative functions, especially those with system-level access. While the patch addresses the immediate technical flaw, it highlights a broader pattern of security debt where automated tools are required to catch basic but catastrophic oversights. The presence of such a critical vulnerability in an admin endpoint, a high-privilege area, signals significant pressure on development and security review processes to prevent similar exposures that could lead to complete server compromise. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: command injection, security vulnerability, node.js, admin endpoint, input sanitization - **Credibility**: unverified - **Published**: 2026-04-02 15:27:18 - **ID**: 47641 - **URL**: https://whisperx.ai/en/intel/47641