Description
ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.
Published: 2026-05-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to execute field injection against the device list endpoint, resulting in an invalid aggregation query that causes the API to return an uninformative HTTP 500 error. The crash is triggered by unvalidated BSON/SQL keys derived from the base64‑encoded filter and sort_by query parameters. The impact is a denial of service: the targeted endpoint becomes unusable until the service is restarted, and the error response offers no diagnostic information. The weakness is captured by CWE-20 (Improper Input Validation), CWE-1333 (Information Exposure through Log Injection), and CWE-943 (Unexpected Behavior).

Affected Systems

ShellHub, version 0.24.1 and earlier, provided by shellhub-io. All authenticated API users can exploit the device list endpoint. The issue has been fixed in ShellHub 0.24.2 and later.

Risk and Exploitability

The CVSS score of 5.4 describes moderate severity. In the absence of an EPSS score, exploitation likelihood is unknown, and the vulnerability is not currently reported in CISA's KEV catalog. Exploitation requires knowledge of the API structure and an active authenticated session; any user with such access can repeatedly trigger the crash, potentially exhausting resources without rate limiting. The vulnerability is remotely exploitable, and the lack of rate limiting increases the risk of a volumetric DoS attack. The attacker does not gain elevated privileges or data exposure; the primary risk is service availability.

Generated by OpenCVE AI on May 13, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShellHub to version 0.24.2 or newer to apply the official fix
  • Restrict or revoke the credentials that provide access to the devices list endpoint to limit exposure
  • Add API‑level rate limiting on the device list endpoint to mitigate the impact of repeated crashes

Generated by OpenCVE AI on May 13, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-47r2-v3x6-wff9 ShellHub has crash-DoS via field injection in filter and sort-by parameters
History

Mon, 18 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Shellhub
Shellhub shellhub
CPEs cpe:2.3:a:shellhub:shellhub:*:*:*:*:*:*:*:*
Vendors & Products Shellhub
Shellhub shellhub

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Shellhub-io
Shellhub-io shellhub
Vendors & Products Shellhub-io
Shellhub-io shellhub

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.
Title ShellHub: Crash-DoS via field injection in filter and sort-by parameters
Weaknesses CWE-1333
CWE-20
CWE-943
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Shellhub Shellhub
Shellhub-io Shellhub
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:52:09.294Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44425

cve-icon Vulnrichment

Updated: 2026-05-14T16:04:16.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:44.400

Modified: 2026-05-18T13:34:49.477

Link: CVE-2026-44425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:15Z

Weaknesses