Unauthenticated OS Command Injection in stamparm/maltrail in stamparm/maltrail


Reported on

Feb 24th 2023


Maltrail <= v0.54 is vulnerable to unauthenticated OS command injection during the login process.


The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.

An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.

Proof of Concept

curl 'http://hostname:8338/login' \
  --data 'username=;`id > /tmp/bbq`'


Arbitrary command execution


We are processing your report and will contact the stamparm/maltrail team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
Chris Wild
a month ago



I reached out to the maintainer via email. He validated the vulnerability and committed a fix. https://github.com/stamparm/maltrail/commit/a299967318cc226c18a6a07d1be708e3f21edd39

Ben Harvie validated this vulnerability a month ago
Chris Wild has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie
a month ago


I have validated the report but we will need maintainer validation on the fix as this repository is eligible for a CVE.

a month ago


Would you rather we published without a CVE or do you want to wait for the maintainer @Chris?

Pavlos marked this as fixed in 0.55 with commit a29996 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability a month ago
httpd.py#L399 has been validated
a month ago


Facilitated completely in private

to join this conversation