Bug discovered by me, report write up and PoC by @Darker-Ink.

Summary

When creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes ('), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system.

Steps to Reproduce

1. Create or edit a project (can be either a new project or an existing one).
2. Change the project name to something like:

   'Testing Lol; echo vulnerable > /root/injection_test #'

   This will inject a command that writes to the /root/injection_test file.
3. Deploy the project, and observe that the injection command is executed during the deployment process.

Proof of Concept (PoC)

We used the following Dockerfile in combination with the https://github.com/wdhdev/reminders repository:

FROM node:22

WORKDIR /app

COPY package*.json ./
RUN npm install
COPY . .

CMD ["npm", "start"]

We tested this vulnerability with v4.0.0-beta.358, however it is likely previous versions are also affected.

Impact

This vulnerability poses a severe security risk, as it allows attackers to:

• Execute arbitrary commands on the host server, which could result in full system compromise.
• Create, modify, or delete sensitive system files.
• Escalate privileges depending on the permissions of the executed process.

Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment.