CVE-2025-12744: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vulnerability Description CVE-2025-12744 is an OS Command Injection vulnerability found in the Automatic Bug Reporting Tool (ABRT) daemon. Technical Details The ABRT daemon copies up to 12 characters from untrusted user-supplied input. These characters are inserted directly into a shell command: docker inspect %s without proper validation. An unprivileged local user can create a payload that injects shell metacharacters. The ABRT process, running as root, executes commands controlled by the attacker. This allows privilege escalation, granting the attacker full root privileges. The vulnerability does not require user interaction, but does require local access. CVSS 3.1: 8.8 (High), reflecting a high impact on confidentiality, integrity and availability, and low exploitation complexity. The root of the problem is insecure handling of shell commands and lack of input validation. Potential Impact ...