## Critical Command Injection in Reports API Exposes Servers to Full Compromise
A critical security vulnerability in a common reports API endpoint allows authenticated attackers to execute arbitrary system commands on the server, leading to potential full compromise. The flaw, classified as OS Command Injection (CWE-78), resides in code that passes unsanitized user input directly to a dangerous system call.

The vulnerability is located in the `/reports/system` endpoint within the `src/api/reports.js` file. Specifically, the code uses `child_process.exec()` to run a disk usage command, but it directly concatenates the user-controlled `path` query parameter into the shell command. This allows an attacker to inject malicious commands. For example, a request like `GET /api/reports/system?type=disk&path=/ ; cat /etc/passwd` would execute the `cat` command, potentially exposing sensitive system files like the password database.

The impact is severe: any authenticated user with admin privileges—or an attacker who compromises an admin account—can achieve remote code execution. This grants them the same level of access as the server process itself, enabling data theft, further network penetration, or server takeover. The recommended remediation is to eliminate the use of `exec()` entirely, opting for safer alternatives like `execFile()` with explicit arguments or using Node.js's built-in `fs` and `os` modules for system information, thereby removing the dangerous shell interpretation of user input.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, command-injection, api, nodejs
- **Credibility**: unverified
- **Published**: 2026-04-03 20:27:08
- **ID**: 49478
- **URL**: https://whisperx.ai/en/intel/49478