Publish GHSA-hhjv-jq77-cmvx

advisory-database[bot] · advisory-database[bot] · commit f35ec7c3a3bd · 2026-03-05T00:38:37.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-hhjv-jq77-cmvx/GHSA-hhjv-jq77-cmvx.json b/advisories/github-reviewed/2026/03/GHSA-hhjv-jq77-cmvx/GHSA-hhjv-jq77-cmvx.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hhjv-jq77-cmvx",
+  "modified": "2026-03-05T00:35:29Z",
+  "published": "2026-03-05T00:35:29Z",
+  "aliases": [],
+  "summary": "zeptoclaw has Android device shell blocklist bypass via argument permutation",
+  "details": "### Summary\n[zeptoclaw](https://github.com/qhkm/zeptoclaw) implements a [blocklist](https://github.com/qhkm/zeptoclaw/blob/fe2ef07cfec5bb46b42cdd65f52b9230c03e9270/src/tools/android/actions.rs#L413-L424) to prevent dangerous commands running in android device shell, but this blocklist has several blocked commands with argements in the pattern literal, such as `rm -f` and `rm -rf`, this can be simply bypassed by using different orders for these arguments, such as `rm -r -f` or `rm -fr` etc.\n\n### Details\nAs in code [src/tools/android/actions.rs#L413-L424](https://github.com/qhkm/zeptoclaw/blob/fe2ef07cfec5bb46b42cdd65f52b9230c03e9270/src/tools/android/actions.rs#L413-L424), we can see the `rm -f` and `rm -rf` are hard coded and thus can be simply bypassed via `rm -r -f` or `rm -fr` etc.\n```rust\npub async fn device_shell(adb: &AdbExecutor, cmd: &str) -> Result<String> {\n    // Normalize whitespace for blocklist check\n    let normalized: String = cmd.split_whitespace().collect::<Vec<_>>().join(\" \");\n    let lower = normalized.to_lowercase();\n\n    let blocked = [\n        \"rm -rf\",\n        \"rm -r\",\n        \"reboot\",\n        \"factory_reset\",\n        \"wipe\",\n        \"format\",\n        \"dd if=\",\n        \"mkfs\",\n        \"flash\",\n        \"fastboot\",\n    ];\n    for pattern in &blocked {\n        if lower.contains(pattern) {\n            return Err(ZeptoError::Tool(format!(\n                \"Blocked dangerous command containing '{}'\",\n                pattern\n            )));\n        }\n    }\n```\n\n### PoC\nSet up [zeptoclaw](https://github.com/qhkm/zeptoclaw) with an Android tool and then run the command `rm -f -r` etc.\n\n### Impact\nUnauthorized command executed in Android device.\n\n### Credit\n[@zpbrent](https://github.com/zpbrent)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zeptoclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.6.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.6.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/qhkm/zeptoclaw/security/advisories/GHSA-hhjv-jq77-cmvx"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/qhkm/zeptoclaw/commit/68916c3e4f3af107f11940b27854fc7ef517058b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/qhkm/zeptoclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/qhkm/zeptoclaw/blob/fe2ef07cfec5bb46b42cdd65f52b9230c03e9270/src/tools/android/actions.rs#L413-L424"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T00:35:29Z",
+    "nvd_published_at": null
+  }
+}
