[SECURITY] Potential High-Severity Command Injection in LuCI (Password Handling)
Sri Sowmya Nemani
nemanisrisowmya at gmail.com
Wed Nov 19 12:42:11 PST 2025
Hello Paul,
Thank you for the detailed information and clarification regarding the
use of shellquote and ucode. I appreciate you taking the time to look
into the report. I will certainly ensure that I fully test and confirm
the exploitability within the correct environment before submitting
any future reports
Sri
On Wed, Nov 19, 2025 at 12:39 PM Paul Spooren <mail at aparcar.org> wrote:
>
> Hi Sri,
>
> Thanks for your interested in the security of OpenWrt.
>
> The line in questions is preceded by a shellquote function and isn’t actually pure shell but `ucode`.
>
> https://github.com/openwrt/luci/blob/master/modules/luci-base/root/usr/share/rpcd/ucode/luci#L472
>
> I kindly ask you to test your exploits before reporting and escalating those.
>
> Please keep on the search for bugs and report those you manage to exploit, thanks.
>
> Paul
>
> > On 19. Nov 2025, at 19:53, Sri Sowmya Nemani <nemanisrisowmya at gmail.com> wrote:
> >
> > Hello OpenWrt Administrative Team,
> >
> > I am writing to follow up on a confidential report I sent to
> > contact at openwrt.org on Nov 17, 2025, titled:
> >
> > [SECURITY] Potential High-Severity Command Injection in LuCI (Password Handling)
> >
> > I have not received an acknowledgement after 2 days. Could you please
> > confirm with the security team that the report was successfully
> > received and is being processed?
> >
> > Thank you,
> >
> > Sri Sowmya Nemani
> >
> > _______________________________________________
> > openwrt-adm mailing list
> > openwrt-adm at lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-adm
>
More information about the openwrt-adm
mailing list