CVE-2024-33434
published 2024-05-07CVE-2024-33434: An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.36%
68.4th percentile
An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tiagorlampert_chaos | >= 0 < 0.0.0-20220716132853-b47438d36e3a | 0.0.0-20220716132853-b47438d36e3a |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary code execution in github.com/tiagorlampert/CHAOS
osv·2024-05-09
CVE-2024-30850 Arbitrary code execution in github.com/tiagorlampert/CHAOS
Arbitrary code execution in github.com/tiagorlampert/CHAOS
A remote attacker can execute arbitrary commands via crafted HTTP requests.
OSV
tiagorlampert CHAOS vulnerable to arbitrary code execution
osv·2024-05-07
CVE-2024-30850 [CRITICAL] tiagorlampert CHAOS vulnerable to arbitrary code execution
tiagorlampert CHAOS vulnerable to arbitrary code execution
An issue in tiagorlampert CHAOS before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.
GHSA
tiagorlampert CHAOS vulnerable to arbitrary code execution
ghsa·2024-05-07
CVE-2024-33434 [CRITICAL] CWE-78 tiagorlampert CHAOS vulnerable to arbitrary code execution
tiagorlampert CHAOS vulnerable to arbitrary code execution
An issue in tiagorlampert CHAOS before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.
OSV
tiagorlampert CHAOS vulnerable to command injections
osv·2024-04-12
CVE-2024-30850 [HIGH] tiagorlampert CHAOS vulnerable to command injections
tiagorlampert CHAOS vulnerable to command injections
An issue in tiagorlampert CHAOS v5.0.1 allows a remote attacker to execute arbitrary code via the BuildClient function within client_service.go
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2024·CVSS 9.8
CVE-2024-33434 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.
Affected: tiagorlampert CHAOS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/vulnerabilities-and-exploits-in-q2-2025/117333/
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gist.github.com/slimwang/d1ec6645ba9012a551ea436679244496https://github.com/tiagorlampert/CHAOS/pull/95https://web.archive.org/web/20240406061035/https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/https://gist.github.com/slimwang/d1ec6645ba9012a551ea436679244496https://github.com/tiagorlampert/CHAOS/pull/95
2024-05-07
Published
Exploited in the wild