OS Command Injection in appium/appium-desktop
Description
OS Command Injection in Appium Desktop prior to v1.22.3-4 allows remote code execution if its open ports are exposed to the internet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS Command Injection in Appium Desktop prior to v1.22.3-4 allows remote code execution if its open ports are exposed to the internet.
CVE-2023-2479 describes an OS Command Injection vulnerability in Appium Desktop, a graphical frontend for the Appium automation server. The flaw exists in versions prior to v1.22.3-4, where insufficient input validation allows an attacker to inject arbitrary operating system commands. The vulnerability was identified and reported through the huntr bug bounty platform [4].
Exploitation requires network access to the Appium Desktop service. If the application's open ports are exposed to the wider internet, a remote attacker can send crafted requests that trigger command injection. No authentication is needed for exploitation, making the attack surface particularly dangerous for users who have not properly firewalled their systems [1][3].
Successful exploitation grants the attacker arbitrary command execution on the host system, effectively allowing full remote code execution. This could lead to data theft, malware installation, or complete compromise of the affected machine.
As of this writing, the Appium Desktop project has been deprecated and is no longer maintained. The developers explicitly advise against using it; users should migrate to the command-line Appium server with Appium Inspector [1][3]. No patches are planned, and the project repository has been archived. Affected users should immediately disable or firewall any exposed instances and transition to supported alternatives.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
appium-desktopnpm | <= 1.14.1 | — |
Affected products
2- Range: unspecified
Patches
112a988aa08b9docs: update readme with security warning
1 file changed · +3 −1
README.md+3 −1 modified@@ -3,7 +3,9 @@ ❗❗ This project is no longer maintained since it is not compatible with Appium 2.0+. For Appium 1.x and 2.0+, use the command line Appium server (see the [Appium docs](https://appium.github.io/appium/docs/en/latest/) for installation and setup information), in combination with [Appium Inspector](https://github.com/appium/appium-inspector). -The old documentation for this project remains below. +❗❗ Since this project was deprecated at least one security vulnerability was discovered that could allow remote code execution by a malicious party if Appium Desktop's open ports are exposed to the wider internet. This project is unsupported and no fixes are planned. Again, please do not use Appium Desktop anymore. Use Appium and the Appium Inspector instead. + +_The old documentation for this project remains below._ # Appium Desktop
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.