CVE-2024-47180
📋 TL;DR
Shields.io versions before server-2024-09-25 contain a remote code execution vulnerability in the JSONPath library used by dynamic badges. Attackers can execute arbitrary code by crafting malicious JSONPath expressions in requests to dynamic badge endpoints. All self-hosted instances are vulnerable.
💻 Affected Systems
- Shields.io self-hosted instances
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the server with attacker gaining full control, data exfiltration, lateral movement, and persistence.
Likely Case
Server compromise leading to data theft, cryptocurrency mining, or use as part of a botnet.
If Mitigated
Limited impact if endpoints are blocked or instance is isolated, though RCE still possible if endpoints are accessible.
🎯 Exploit Status
Exploitation requires only HTTP requests to vulnerable endpoints; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: server-2024-09-25
Vendor Advisory: https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445
Restart Required: Yes
Instructions:
1. Update to server-2024-09-25 or later. 2. For Docker users: pull shieldsio/shields:next or a specific fixed tag. 3. Restart the service.
🔧 Temporary Workarounds
Block vulnerable endpoints
allPrevent access to dynamic badge endpoints via firewall or reverse proxy
# Example nginx config to block endpoints
location ~ ^/badge/dynamic/(json|toml|yaml)$ { deny all; }
# Example Apache config
<LocationMatch "^/badge/dynamic/(json|toml|yaml)$">
Require all denied
</LocationMatch>
🧯 If You Can't Patch
- Isolate the instance from other systems and the internet
- Implement strict network segmentation and monitor for suspicious requests
🔍 How to Verify
Check if Vulnerable:
Check if version is older than server-2024-09-25 and dynamic badge endpoints are accessibleCheck Version:
# For Docker containers
docker exec <container_name> node -e "console.log(require('./package.json').version)"Verify Fix Applied:
Confirm version is server-2024-09-25 or newer and test dynamic badge endpoints for functionality📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /badge/dynamic/json, /badge/dynamic/toml, or /badge/dynamic/yaml
- Suspicious JSONPath expressions in request parameters
Network Indicators:
- HTTP requests with complex or unusual JSONPath syntax
- Traffic spikes to dynamic badge endpoints
SIEM Query:
source="shields.log" AND (url="/badge/dynamic/json" OR url="/badge/dynamic/toml" OR url="/badge/dynamic/yaml")