skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
August 21, 2023

GHSL-2022-119: Arbitrary command execution in CasaOS - CVE-2023-37469

Kevin Stubbings

Coordinated Disclosure Timeline


If an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands.



Tested Version



Issue: command injection in PostSambaConnectionsCreate (GHSL-2022-119)

The MountSmaba function is called by PostSambaConnectionsCreate with none of the inputs sanitized. The parameters are used to confirm an SMB share can be authenticated, but if malicious parameters are valid on the SMB end, command injection is possible.

func (s *connectionsStruct) MountSmaba(username, host, directory, port, mountPoint, password string) string {
	str := command2.ExecResultStr("source " + config.AppInfo.ShellPath + "/ ;MountCIFS " + username + " " + host + " " + directory + " " + port + " " + mountPoint + " " + password)
	return str


This issue may lead to Command Injection.


In this exploit, we will exploit the password parameter.

  1. Create a SMB share with any path, any share name, and any username.
  2. Set the password of the user to be ;CMD=$'\x20arg1';command$CMD

    For example, if I wanted to access a website, I could do ;CMD=$'\';curl$CMD

  3. Go to Files->Location->Connect Network Storage and Enter the share path, username, password and your command should execute.



This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings) and found with the help of the go/command-injection CodeQL query.


You can contact the GHSL team at, please include a reference to GHSL-2022-119 in any communication regarding this issue.