CVE-2024-41997

MEDIUM

Warp Terminal <2024.07.18 - Command Injection

Title source: llm

Description

An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine.

Exploits (1)

nomisec WRITEUP

by xpcmdshell · poc

https://github.com/xpcmdshell/CVE-2024-41997

View Code ZIP pw:eip

References (4)

[Various Sources] https://docs.warp.dev/features/integrations-and-plugins#docker

[Various Sources] https://docs.warp.dev/getting-started/changelog#id-2024.07.18-v0.2024.07.16.08.02

[Various Sources] https://gist.github.com/bhyh/d1ee7a825fce283bf8acbdb42c8a7832

[Various Sources] https://github.com/warpdotdev/warp

Scores

CVSS v3 6.6

EPSS 0.0017

EPSS Percentile 37.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Published Oct 14, 2024

Tracked Since Feb 18, 2026