[Security Fix] π Patch Critical RCE via Unsanitized GDB Command Injection in /gdb_command endpointΒ #97
Description
π Bug Report
Describe the bug
The backend API endpoint /gdb_command (in gdbui_server/main.py) passes the user-provided command string directly to the underlying gdb shell without any sanitization. Because GDB has built-in features to execute OS commands (like shell or pi import os;), an attacker can easily bypass the debugging logic to natively execute arbitrary system commands. This leads to Unauthenticated Remote Code Execution (RCE) and full server compromise.
Is this a regression?
No, this has likely been present since the /gdb_command endpoint was originally implemented.
To Reproduce
Note: Since this is an actively exploitable RCE vulnerability, I am providing a benign reproduction step. I have a full functional exploit PoC ready for maintainers.
- Start the backend
gdbui_server. - Send a POST request to
/gdb_commandwith a crafted payload abusing GDB's evaluation:
{
"name": "any_file",
"command": "pi import os; os.system('echo RCE_POC_SUCCESS > rce_proof.txt')"
}