## Shell Injection Vulnerability in Chat Application Docker Entrypoint Exposes BACKEND_URL to Arbitrary Nginx Config Injection A high-severity shell injection vulnerability has been identified in the Docker entrypoint script of a chat application's frontend Nginx container. The flaw, tracked in `src/chat-app/frontend/docker-entrypoint.sh` (lines 11–14), allows an attacker who controls the `BACKEND_URL` environment variable to inject arbitrary nginx configuration directives through unsanitized `sed` special characters. The vulnerability carries a High severity rating and falls under OWASP Category A03:2021 (Injection), raising immediate concerns for any deployment relying on this container image. The vulnerable code uses `sed -E` substitution to extract the hostname from `BACKEND_URL` without sanitizing the input first. Specifically, the line `BACKEND_HOST=$(echo "$BACKEND_URL" | sed -E 's|https?://([^/:]+).*|\1|')` processes the raw environment variable directly, meaning characters such as `|`, newlines, or embedded nginx directives can escape the intended parsing. This transforms a seemingly benign configuration step into a vector for arbitrary config injection. The impact is significant. An attacker with the ability to set `BACKEND_URL`—for example, through container orchestration misconfiguration or insufficient access controls—could inject malicious nginx directives, redirect API traffic to a hostile server, exfiltrate authentication tokens from proxied requests, or potentially achieve remote code execution through nginx configuration manipulation. Organizations deploying this container image should audit who can set environment variables at runtime and treat `BACKEND_URL` as a privileged, security-critical input requiring strict validation and access controls until a patched version of the entrypoint script is available. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: shell injection, docker security, nginx, CVE candidate, environment variable - **Credibility**: unverified - **Published**: 2026-04-28 19:54:17 - **ID**: 77932 - **URL**: https://whisperx.ai/en/intel/77932