OS Command Injection in Logseq IPC Shell Command Handler
Logseq exposes an IPC handler that permits the renderer process to invoke shell commands. Although the implementation applies an allowlist to the executable name, with examples including git, pandoc, and grep, it concatenates attacker-controlled argument data with the command and passes the resulting string to child_process.spawn with shell: true. Because the arguments are interpreted by a shell, shell metacharacters embedded in the argument string can break out of the intended command context and bypass the command-name allowlist. An attacker who can execute JavaScript in the renderer, such as via XSS or a malicious plugin, can exploit this flaw to run arbitrary shell commands as the Logseq process. The issue was tested and confirmed in Logseq v0.10.15; the status of other versions is currently not available because the issue was not addressed by a patch.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
shell: true, invoking executables directly, and passing arguments as a properly separated argument array rather than concatenated shell strings. Input handling should ensure that renderer-controlled data cannot introduce shell metacharacters or alter command structure. The advisory does not mention an available patch; only v0.10.15 was confirmed vulnerable, and the issue was stated to be unaddressed by a patch at disclosure time.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.