doomsider shadow denial of service
Description
A vulnerability was found in doomsider shadow. It has been classified as problematic. Affected is an unknown function. The manipulation leads to denial of service. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is told to be difficult. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as 3332c5ba9ec3014ddc74e2147190a050eee97bc0. It is recommended to apply a patch to fix this issue. VDB-221478 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- doomsider/shadowv5Range: n/a
Patches
Vulnerability mechanics
Root cause
"Use of `eval` on unsanitized user-supplied input allows special shell characters to crash the script."
Attack vector
An attacker who can send chat messages or otherwise inject commands into the game's command-processing pipeline can craft input containing special shell characters. When the vulnerable `eval` statement processes this input in `chat_commands` or `core_logloop`, those characters can cause the script to crash or behave unexpectedly, resulting in a denial of service. The attack requires local access and is considered difficult to exploit [patch_id=2247376].
Affected code
The vulnerability resides in `modules/chatfunctions.dtsd` (the `chat_commands` function) and `core/core_loops.dtsd` (the `core_logloop` function). Both locations previously used `eval` to execute commands constructed from user-supplied input without sanitization [patch_id=2247376].
What the fix does
The patch removes all `eval` invocations in both `chat_commands` and `core_logloop`, replacing them with direct function calls (`$USERCOMMAND ...` and `$RECIEVEDCOMMAND ...`). It also adds a `lib_arraycontains` check to validate that the requested chat command exists in the allowed list before executing it. These changes prevent arbitrary shell interpretation of user-supplied strings, closing the denial-of-service vector [patch_id=2247376].
Preconditions
- inputAttacker must be able to send chat messages or otherwise inject commands into the game's command-processing pipeline
- networkAttacker must have local access to the system running the shadow software
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/doomsider/shadow/commit/3332c5ba9ec3014ddc74e2147190a050eee97bc0mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.