An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.
CVSS
No CVSS.
References
Configurations
No configuration.
History
03 Jul 2025, 15:13
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
02 Jul 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-02 14:15
Updated : 2025-07-03 15:13
NVD link : CVE-2025-34073
Mitre link : CVE-2025-34073
CVE.ORG link : CVE-2025-34073
JSON object : View
Products Affected
No product.