CVE-2021-32090
CRITICALLocalStack < 0.12.10 - OS Command Injection via Dashboard functionName Parameter
Title source: llmDescription
The dashboard component of StackLift LocalStack 0.12.6 allows attackers to inject arbitrary shell commands via the functionName parameter.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.sonarsource.com/hack-the-stack-with-localstack
Exploit, Third Party Advisory x_refsource_misc
https://portswigger.net/daily-swig/localstack-zero-day-vulnerabilities-chained-to-achieve-remote-takeover-of-local-instances
Scores
CVSS v3
9.8
EPSS
0.0211
EPSS Percentile
79.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
localstack/localstack
0.12.6
pypi/localstack
0 - 0.12.10PyPI
Published
May 07, 2021
Tracked Since
Feb 18, 2026