VYPR
← All advisories
High severityNVD Advisory· Published Apr 22, 2022· Updated Aug 3, 2024

CVE-2022-29583

CVE-2022-29583

Description

Windows unquoted service path in kardianos/service Go package can lead to local privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Windows unquoted service path in kardianos/service Go package can lead to local privilege escalation.

Vulnerability

CVE-2022-29583 exists in the service_windows.go file of the kardianos/service Go package. The code obtaining the executable path uses execPath() without quoting the path, potentially leading to a Windows unquoted service path vulnerability [1][3]. This affects all versions of the package where service_windows.go is used for Windows service installation. The official note states the finding could not be reproduced by the original reporter or others [2].

Exploitation

An attacker with local access to the system must be able to write a malicious executable to a location that matches the unquoted path's intermediate directory. For example, if the service executable is installed at C:\Program Files\My Service\service.exe, Windows will search for C:\Program.exe, C:\Program Files\My.exe, and then the intended target when the service is started. By placing a malicious Program.exe or My.exe in the appropriate location, the attacker can cause the service manager to execute their code instead of the intended binary [3]. No network access or user interaction beyond local write permissions is required.

Impact

Successfully exploiting the unquoted service path allows the attacker to achieve arbitrary code execution in the context of the SYSTEM account, leading to full compromise of the system. The attacker gains the highest privileges on the Windows host, enabling them to install programs, create accounts, or modify data without restriction [3].

Mitigation

The fix is implemented in pull request #290, which adds quoting around the executable path [1]. Users should update the kardianos/service package to the version that includes this fix. The repository maintainer has merged the pull request; however, no official release version number has been explicitly mentioned in the references. No other workaround is documented. If a patched release is not yet published, users may manually apply the change from the pull request to their local copy of the dependency.

References
  1. Update service_windows.go to avoid "unquoted search path" windows service issue · Pull Request #290 · kardianos/service
  2. NVD - CVE-2022-29583
  3. Windows service: unquoted service path can allow for privilege escalation · Issue #289 · kardianos/service

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/kardianos/serviceGo
<= 1.2.1

Affected products

2

Patches

1
76004cef3ef5

Merge 5233973714784e6d9af171ea86b2f94561540531 into 5c08916379a92cb1806764e911af33c55762a753

https://github.com/kardianos/servicetrespassing-potatoJan 27, 2022via ghsa-ref
commitPR #290
1 file changed · +2 0
  • service_windows.go+2 0 modified
    @@ -227,6 +227,8 @@ func (ws *windowsService) Install() error {
 	if err != nil {
 		return err
 	}
+	// add quotes to the path in order to avoid "unquoted search path" issue
+	exepath = `"`+exepath+`"`
 
 	m, err := mgr.Connect()
 	if err != nil {

Vulnerability mechanics

Root cause

"Missing quoting around the Windows service executable path in service_windows.go allows path misinterpretation."

Attack vector

An attacker who can influence the installation path of a Windows service (e.g., by placing the service binary in a directory with spaces in its name) could exploit the missing quoting. When the service starts, the unquoted path causes Windows to interpret the path incorrectly, potentially executing a different binary located earlier in the filesystem. The advisory does not specify a particular network vector; the precondition is local access to install or configure the service path.

Affected code

The vulnerability is in `service_windows.go` within the kardianos service package for Go. This file constructs the command line for executing a Windows service executable but omits necessary quoting around the executable path. When the path contains spaces or special characters, the unquoted path can cause the service to launch from an unintended directory.

What the fix does

The patch adds proper quoting around the executable path in the command-line construction within `service_windows.go`. By wrapping the path in quotes, Windows correctly interprets the entire path as a single argument, preventing directory traversal or execution of an unintended binary when the path contains spaces. This closes the unquoted-service-path vulnerability [patch_id=1641602].

Preconditions

  • configThe Windows service executable must be installed in a directory path containing spaces or special characters
  • inputThe attacker must have the ability to influence the service installation path or binary placement

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.