Unauthenticated OS Command Injection in stamparm/maltrail in stamparm/maltrail


Reported on

Feb 24th 2023


Maltrail <= v0.54 is vulnerable to unauthenticated OS command injection during the login process.


The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.

An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.

Proof of Concept

curl 'http://hostname:8338/login' \
  --data 'username=;`id > /tmp/bbq`'


Arbitrary command execution


We are processing your report and will contact the stamparm/maltrail team within 24 hours. 9 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 9 months ago
Chris Wild
9 months ago



I reached out to the maintainer via email. He validated the vulnerability and committed a fix. https://github.com/stamparm/maltrail/commit/a299967318cc226c18a6a07d1be708e3f21edd39

Ben Harvie validated this vulnerability 9 months ago
Chris Wild has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie
9 months ago


I have validated the report but we will need maintainer validation on the fix as this repository is eligible for a CVE.

9 months ago


Would you rather we published without a CVE or do you want to wait for the maintainer @Chris?

Pavlos marked this as fixed in 0.55 with commit a29996 9 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability 9 months ago
httpd.py#L399 has been validated
9 months ago


Facilitated completely in private

to join this conversation