CasaOS Command Injection vulnerability
Description
CasaOS before 0.4.4 allows authenticated users to execute arbitrary commands by connecting to a malicious SMB server due to insufficient input validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CasaOS before 0.4.4 allows authenticated users to execute arbitrary commands by connecting to a malicious SMB server due to insufficient input validation.
Root
Cause CVE-2023-37469 is a vulnerability in CasaOS, an open-source personal cloud system, versions prior to 0.4.4. The issue resides in the SMB connection handling code, specifically in the PostSambaConnectionsCreate function in samba.go. The code lacked proper validation of user-supplied fields such as username, password, host, and port, allowing an attacker to inject arbitrary commands through crafted SMB server parameters [1][4].
Exploitation
An attacker must first trick an authenticated CasaOS user into connecting to a malicious SMB server controlled by the attacker. This can be achieved by social engineering or by hosting a rogue SMB share. Once the connection is established, the insufficient input validation enables command injection, giving the attacker a foothold on the CasaOS system [4].
Impact
Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the CasaOS process. This can lead to complete compromise of the CasaOS host, including data theft, installation of malware, or further lateral movement within the network [1].
Mitigation
CasaOS version 0.4.4 patches the vulnerability by removing the vulnerable input validation checks and improving the overall SMB connection handling. Users are strongly advised to upgrade to this version or later [3]. No workarounds have been publicly documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/IceWhaleTech/CasaOSGo | < 0.4.4 | 0.4.4 |
Affected products
2- IceWhaleTech/CasaOSv5Range: < 0.4.4
Patches
12 files changed · +31 −24
route/v1/samba.go+16 −18 modified@@ -16,7 +16,6 @@ import ( "net/http" "os" "path/filepath" - "regexp" "strings" "github.com/IceWhaleTech/CasaOS-Common/utils/logger" @@ -27,7 +26,6 @@ import ( "github.com/IceWhaleTech/CasaOS/pkg/samba" "github.com/IceWhaleTech/CasaOS/pkg/utils/common_err" "github.com/IceWhaleTech/CasaOS/pkg/utils/file" - "github.com/IceWhaleTech/CasaOS/pkg/utils/ip_helper" "github.com/IceWhaleTech/CasaOS/service" model2 "github.com/IceWhaleTech/CasaOS/service/model" "github.com/gin-gonic/gin" @@ -139,22 +137,22 @@ func PostSambaConnectionsCreate(c *gin.Context) { return } - if ok, _ := regexp.MatchString(`^[\w@#*.]{4,30}$`, connection.Password); !ok { - c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.CHARACTER_LIMIT, Message: common_err.GetMsg(common_err.CHARACTER_LIMIT)}) - return - } - if ok, _ := regexp.MatchString(`^[\w@#*.]{4,30}$`, connection.Username); !ok { - c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) - return - } - if !ip_helper.IsIPv4(connection.Host) && !ip_helper.IsIPv6(connection.Host) { - c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) - return - } - if ok, _ := regexp.MatchString("^[0-9]{1,6}$", connection.Port); !ok { - c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) - return - } + // if ok, _ := regexp.MatchString(`^[\w@#*.]{4,30}$`, connection.Password); !ok { + // c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.CHARACTER_LIMIT, Message: common_err.GetMsg(common_err.CHARACTER_LIMIT)}) + // return + // } + // if ok, _ := regexp.MatchString(`^[\w@#*.]{4,30}$`, connection.Username); !ok { + // c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) + // return + // } + // if !ip_helper.IsIPv4(connection.Host) && !ip_helper.IsIPv6(connection.Host) { + // c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) + // return + // } + // if ok, _ := regexp.MatchString("^[0-9]{1,6}$", connection.Port); !ok { + // c.JSON(common_err.CLIENT_ERROR, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) + // return + // } connection.Host = strings.Split(connection.Host, "/")[0] // check is exists
service/connections.go+15 −6 modified@@ -11,11 +11,12 @@ package service import ( - "github.com/IceWhaleTech/CasaOS/pkg/config" - command2 "github.com/IceWhaleTech/CasaOS/pkg/utils/command" + "fmt" + "github.com/IceWhaleTech/CasaOS/service/model" model2 "github.com/IceWhaleTech/CasaOS/service/model" "github.com/moby/sys/mount" + "golang.org/x/sys/unix" "gorm.io/gorm" ) @@ -26,7 +27,7 @@ type ConnectionsService interface { CreateConnection(connection *model2.ConnectionsDBModel) DeleteConnection(id string) UpdateConnection(connection *model2.ConnectionsDBModel) - MountSmaba(username, host, directory, port, mountPoint, password string) string + MountSmaba(username, host, directory, port, mountPoint, password string) error UnmountSmaba(mountPoint string) error } @@ -56,9 +57,17 @@ func (s *connectionsStruct) DeleteConnection(id string) { s.db.Where("id= ?", id).Delete(&model.ConnectionsDBModel{}) } -func (s *connectionsStruct) MountSmaba(username, host, directory, port, mountPoint, password string) string { - str := command2.ExecResultStr("source " + config.AppInfo.ShellPath + "/helper.sh ;MountCIFS " + username + " " + host + " " + directory + " " + port + " " + mountPoint + " " + password) - return str +func (s *connectionsStruct) MountSmaba(username, host, directory, port, mountPoint, password string) error { + err := unix.Mount( + fmt.Sprintf("//%s/%s", host, directory), + mountPoint, + "cifs", + unix.MS_NOATIME|unix.MS_NODEV|unix.MS_NOSUID, + fmt.Sprintf("username=%s,password=%s", username, password), + ) + return err + //str := command2.ExecResultStr("source " + config.AppInfo.ShellPath + "/helper.sh ;MountCIFS " + username + " " + host + " " + directory + " " + port + " " + mountPoint + " " + password) + //return str } func (s *connectionsStruct) UnmountSmaba(mountPoint string) error { return mount.Unmount(mountPoint)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-92vc-4fcw-g68qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37469ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2022-119_CasaOSghsaADVISORY
- github.com/IceWhaleTech/CasaOS/blob/96e92842357230098c771bc41fd3baf46189b859/route/v1/samba.goghsax_refsource_MISCWEB
- github.com/IceWhaleTech/CasaOS/blob/96e92842357230098c771bc41fd3baf46189b859/service/connections.goghsax_refsource_MISCWEB
- github.com/IceWhaleTech/CasaOS/commit/af440eac5563644854ff33f72041e52d3fd1f47cghsax_refsource_MISCWEB
- github.com/IceWhaleTech/CasaOS/releases/tag/v0.4.4ghsax_refsource_MISCWEB
- github.com/github/pe-security-lab/issues/1871ghsaWEB
- securitylab.github.com/advisories/GHSL-2022-119_CasaOS/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.