Arbitrary command execution in Gerapy
Description
Gerapy before 0.9.9 allows authenticated remote command injection via the project_clone endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gerapy before 0.9.9 allows authenticated remote command injection via the project_clone endpoint.
Vulnerability
In Gerapy versions prior to 0.9.9, the project_clone endpoint in views.py accepts an address parameter from an authenticated POST request. This parameter is appended with .git if necessary and inserted directly into a git clone command string without sanitization, leading to command injection [2]. The affected code is reachable only by authenticated users [2].
Exploitation
An authenticated attacker can send a POST request to the project_clone endpoint with a crafted address value. For example, supplying /dev/null || malicious code # causes the shell to interpret the injected content as additional commands after the intended git operation [2]. The attacker does not require any special privileges beyond a valid session [2].
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the Gerapy server process. This can lead to full compromise of the crawler management system, including data exfiltration, installation of backdoors, or lateral movement within the network [1][2].
Mitigation
The vulnerability is fixed in Gerapy version 0.9.9 [1][2]. Users should upgrade to this version immediately. There are no known workarounds for earlier releases [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gerapyPyPI | < 0.9.9 | 0.9.9 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- github.com/advisories/GHSA-756h-r2c9-qp5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32849ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-076-gerapyghsaADVISORY
- github.com/Gerapy/Gerapy/issues/197ghsax_refsource_MISCWEB
- github.com/Gerapy/Gerapy/issues/217ghsax_refsource_MISCWEB
- github.com/Gerapy/Gerapy/security/advisories/GHSA-756h-r2c9-qp5jghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/gerapy/PYSEC-2022-17.yamlghsaWEB
- lgtm.com/projects/g/Gerapy/Gerapyghsax_refsource_MISCWEB
- securitylab.github.com/advisories/GHSL-2021-076-gerapy/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.