CVE-2025-50946

Vulnerability

Overview

OliveTin version 2025.4.22 contains an OS command injection vulnerability in its custom theme functionality. The flaw resides in the ParseRequestURI function within service/internal/executor/arguments.go [4]. When processing the themeGitRepo argument, the application uses url.ParseRequestURI to validate the URL syntax, but does not sanitize the input before passing it to a shell command [2]. This allows an attacker to inject arbitrary commands by embedding shell metacharacters in the URL.

Exploitation

An attacker with access to the OliveTin web interface can exploit this vulnerability by supplying a malformed URL, such as http://a;cat</etc/passwd, which passes the URL validation but results in command execution [2]. No authentication is required if the theme configuration endpoint is exposed, making it an unauthenticated attack vector [1]. The injection occurs because the validated URL is concatenated into a shell command without escaping.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the server with the privileges of the OliveTin process. This can lead to full system compromise, including data theft, lateral movement, and deployment of malware.

Mitigation

As of the publication date, no official patch has been released. Users should restrict network access to the OliveTin interface and avoid enabling the custom theme feature until a fix is applied. Monitoring for unusual URL patterns in logs can help detect exploitation attempts.