Skip to content

CONTRAST: Unsafe Code Execution from Untrusted Sources on "/generate-label" page #10

New issue
New issue
Open
Open
CONTRAST: Unsafe Code Execution from Untrusted Sources on "/generate-label" page#10
@jason-at-contrast

Description

@jason-at-contrast
jason-at-contrast
opened on Feb 17, 2026

Vulnerability ID: 8OSW-UN11-6RRR-QMUO

Application Name: CargoCats-contrast-cargo-cats-labelservice

Vulnerability Link: https://eval.contrastsecurity.com/Contrast/static/ng/index.html#/545a3bce-97c5-4732-af38-1ac459087b0a/applications/6e28c468-deb7-4e2a-b390-66b7ac6cf894/vulns/8OSW-UN11-6RRR-QMUO

What Happened?

We tracked the following data from Untrusted Sources:

post /generate-label

[ HTTP body not captured ]

...which was accessed within the following code:

/app/app.js, line 1

... and ended up in this dynamic evaluation call:

""; require('child_process').exec('whoami', (error,..., stderr) => { console.log('User:', stdout); }); "".charAt(0).toUpperCase() + ""; require('child_process').exec('whoami', (error,..., stderr) => { console.log('User:', stdout); }); "".slice(1).toLowerCase()

What's the risk?

Recommendation

Check out our AI-generated Intelligent Remediation Guidance! https://eval.contrastsecurity.com/Contrast/static/ng/index.html#/545a3bce-97c5-4732-af38-1ac459087b0a/vulns/8OSW-UN11-6RRR-QMUO/overview/recommendation

First Event


Stack:
  AsyncLocalStorage.run(node:async_hooks:327)
  <anonymous>(/app/node_modules/body-parser/lib/read.js:1)
  AsyncResource.runInAsyncScope(node:async_hooks:203)
  invokeCallback(/app/node_modules/raw-body/index.js:1)
  done(/app/node_modules/raw-body/index.js:1)
  IncomingMessage.onEnd(/app/node_modules/raw-body/index.js:1)
  IncomingMessage.emit(node:events:517)
  endReadableNT(node:internal/streams/readable:1400)
  process.processTicksAndRejections(node:internal/process/task_queues:82)

Last Event


Stack:
  <anonymous>(/app/app.js:1)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:1)

HTTP Request

post http://labelservice:3000/generate-label HTTP/1.1
Accept: application/pdf
Content-Type: application/json
Contrasttraceparent: 00-f914911edb52ed82ad854f3afec9876d-92be89b365dbbbac-01
User-Agent: Java/11.0.30
Host: labelservice:3000
Connection: keep-alive
Content-Length: 200

References

https://owasp.org/www-community/attacks/Code_Injection

Session ID: 93cc2d91f56c1c94278d934bbf044a86
artifactHash: 56633c19

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions