GHSA-q66h-m87m-j2q6

Source

https://github.com/advisories/GHSA-q66h-m87m-j2q6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-q66h-m87m-j2q6/GHSA-q66h-m87m-j2q6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q66h-m87m-j2q6

Published

2026-02-10T00:21:56Z

Modified

2026-02-10T00:39:01.599070Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Bitcoinrb Vulnerable to Command injection via RPC

Details

Summary: Remote Code Execution

Unsafe handling of request parameters in the RPC HTTP server results in command injection

Details

In lib/bitcoin/rpc/http_server.rb line 30-39, the JSON body of a POST request is parsed into command and args variables. These values are then passed to send, which is used to call an arbitrary class method. However, there is no validation that the provided command value is one of the expected RPC methods. This means that an attacker could supply a command value such as system, and then pass arbitrary system commands into the args parameter and achieve remote code execution.

PoC

Start the RPC server
Send a request to the RPC server as so: curl -X POST http://127.0.0.1:18443 -H 'Content-Type: application/json' \ -d '{"method":"eval","params":["File.write(\"/tmp/pwned\",\"owned\")"]}'
Check the /tmp folder on the machine where the RPC server is being run. If a folder /pwned now exists, the vulnerability is confirmed.
Impact

This vulnerability would impact anyone running the RPC server. The impact is higher for those who are running it publicly exposed to the internet.

Remediation

Mitigating Factors:
- The RPC server is part of the experimental SPV node feature, which is not documented and has very few users.
- The SPV-related features may be removed in future releases.

Resolution:
- Added whitelist validation to allow only RPC methods defined in RequestHandler.
- Fixed in version 1.12.0.

Database specific

{
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed_at": "2026-02-10T00:21:56Z",
    "nvd_published_at": null
}

References

Affected packages

RubyGems / bitcoinrb

Package

Name: bitcoinrb
Purl: pkg:gem/bitcoinrb

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0

Affected versions

0.*

0.0.1

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.2

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.2

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.2.1

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

1.9.1

1.10.0

1.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-q66h-m87m-j2q6/GHSA-q66h-m87m-j2q6.json"