CVE-2025-27106
Published: 21 February 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-27106 is a command injection vulnerability in the binance-trading-bot, an automated Binance trading bot implementing trailing buy/sell strategies. The issue resides in the `/restore` endpoint, where the name of an uploaded file is passed unsanitized—beyond basic path normalization—to `shell.exec()`, enabling remote code execution (RCE) on the host system. This affects all versions prior to 0.0.100 of the binance-trading-bot.
Authenticated users with low privileges can exploit this vulnerability remotely over the network with no user interaction required. By crafting a malicious filename during file upload to the `/restore` endpoint, an attacker can inject arbitrary shell commands, achieving full RCE in the context of the host machine running the bot. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high confidentiality, integrity, and availability impacts.
The GitHub security advisory (GHSA-wq6j-4388-4gg5) and associated commit confirm the fix in version 0.0.100, urging all users to upgrade immediately. No workarounds are available, and the vulnerable code is visible in the original `restore-post.js` handler at line 14.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via unsanitized filename in web /restore endpoint to shell.exec() enables RCE on public-facing app (T1190) and arbitrary Unix shell command execution (T1059.004).