[SECURITY] Potential High-Severity Command Injection in LuCI (Password Handling)
Paul Spooren
mail at aparcar.org
Wed Nov 19 12:39:43 PST 2025
Hi Sri,
Thanks for your interested in the security of OpenWrt.
The line in questions is preceded by a shellquote function and isn’t actually pure shell but `ucode`.
https://github.com/openwrt/luci/blob/master/modules/luci-base/root/usr/share/rpcd/ucode/luci#L472
I kindly ask you to test your exploits before reporting and escalating those.
Please keep on the search for bugs and report those you manage to exploit, thanks.
Paul
> On 19. Nov 2025, at 19:53, Sri Sowmya Nemani <nemanisrisowmya at gmail.com> wrote:
>
> Hello OpenWrt Administrative Team,
>
> I am writing to follow up on a confidential report I sent to
> contact at openwrt.org on Nov 17, 2025, titled:
>
> [SECURITY] Potential High-Severity Command Injection in LuCI (Password Handling)
>
> I have not received an acknowledgement after 2 days. Could you please
> confirm with the security team that the report was successfully
> received and is being processed?
>
> Thank you,
>
> Sri Sowmya Nemani
>
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm
More information about the openwrt-adm
mailing list