What is CVE-2026-25044?

**Location**: `packages/server/src/automations/steps/bash.ts` #### Description The bash automation step executes user-provided commands using `execSync` without proper sanitization or validation. User input is processed through `processStringSync` which allows template interpolation, potentially allowing arbitrary command execution. #### Code Reference ```21:28:packages/server/src/automations/steps/bash.ts const command = processStringSync(inputs.code, context) let stdout, success = true try { stdout = execSync(command, { timeout: environment.QUERY_THREAD_TIMEOUT, }).toString() ``` #### Attack Vector An attacker with access to create or modify automations can inject malicious shell commands by including template syntax that evaluates to command injection payloads (e.g., `$(rm -rf /)`, `; malicious-command`, `| malicious-command`). #### Impact - Remote code execution (RCE) - Complete system compromise - Data exfiltration - Lateral movement within the infrastructure #### Recommendation 1. **Immediate**: Disable bash automation step in production until fixed 2. Implement a whitelist of allowed commands 3. Use parameterized command execution with proper escaping 4. Implement command argument validation 5. Consider using a restricted shell or command sandboxing 6. Add rate limiting and monitoring for command execution #### Example Fix ```typescript import { spawn } from "child_process" // Validate against whitelist const ALLOWED_COMMANDS = ["echo", "date", "pwd"] // Extend as needed function sanitizeCommand(input: string): string { // Remove dangerous characters and command chaining return input.replace(/[;&|`$(){}[\]]/g, "").trim() } function validateCommand(cmd: string): boolean { const parts = cmd.split(/\s+/) return ALLOWED_COMMANDS.includes(parts[0]) } export async function run({ inputs, context }) { if (!inputs.code) { return { stdout: "Budibase bash automation failed: Invalid inputs" } } const processedCommand = processStringSync(inputs.code, context) const sanitized = sanitizeCommand(processedCommand) if (!validateCommand(sanitized)) { return { success: false, stdout: "Command not allowed" } } // Use spawn instead of execSync with proper argument handling return new Promise((resolve) => { const [command, ...args] = sanitized.split(/\s+/) const proc = spawn(command, args, { timeout: environment.QUERY_THREAD_TIMEOUT, }) let stdout = "" proc.stdout.on("data", (data) => { stdout += data }) proc.on("close", (code) => { resolve({ stdout, success: code === 0 }) }) }) } ```

What is the severity of CVE-2026-25044?

CVE-2026-25044 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25044?

No known public exploits are currently available for CVE-2026-25044.

Is there a patch available for CVE-2026-25044?

Yes, patches are available for CVE-2026-25044. Check the vendor advisories for update instructions.

CVE-2026-25044 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Location: packages/server/src/automations/steps/bash.ts

Description

The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution.

Code Reference

    const command = processStringSync(inputs.code, context)

    let stdout,
      success = true
    try {
      stdout = execSync(command, {
        timeout: environment.QUERY_THREAD_TIMEOUT,
      }).toString()

Attack Vector

An attacker with access to create or modify automations can inject malicious shell commands by including template syntax that evaluates to command injection payloads (e.g., $(rm -rf /), ; malicious-command, | malicious-command).

Impact

Remote code execution (RCE)
Complete system compromise
Data exfiltration
Lateral movement within the infrastructure

Recommendation

Immediate: Disable bash automation step in production until fixed
Implement a whitelist of allowed commands
Use parameterized command execution with proper escaping
Implement command argument validation
Consider using a restricted shell or command sandboxing
Add rate limiting and monitoring for command execution

Example Fix

import { spawn } from "child_process"

// Validate against whitelist
const ALLOWED_COMMANDS = ["echo", "date", "pwd"] // Extend as needed

function sanitizeCommand(input: string): string {
  // Remove dangerous characters and command chaining
  return input.replace(/[;&|`$(){}[\]]/g, "").trim()
}

function validateCommand(cmd: string): boolean {
  const parts = cmd.split(/\s+/)
  return ALLOWED_COMMANDS.includes(parts[0])
}

export async function run({ inputs, context }) {
  if (!inputs.code) {
    return { stdout: "Budibase bash automation failed: Invalid inputs" }
  }

  const processedCommand = processStringSync(inputs.code, context)
  const sanitized = sanitizeCommand(processedCommand)
  
  if (!validateCommand(sanitized)) {
    return {
      success: false,
      stdout: "Command not allowed"
    }
  }

  // Use spawn instead of execSync with proper argument handling
  return new Promise((resolve) => {
    const [command, ...args] = sanitized.split(/\s+/)
    const proc = spawn(command, args, {
      timeout: environment.QUERY_THREAD_TIMEOUT,
    })
    
    let stdout = ""
    proc.stdout.on("data", (data) => { stdout += data })
    proc.on("close", (code) => {
      resolve({ stdout, success: code === 0 })
    })
  })
}

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com

Ready for Agentic Automated Testing?

CVE-2026-25044

Description

Code Reference

Attack Vector

Impact

Recommendation

Example Fix