Context

Nginx Proxy Manager is vulnerable to authenticated remote code execution due to a shell injection in setupCertbotPlugins() (backend/setup.js).

The user-controlled field dns_provider_credentials is interpolated into a shell command executed via child_process.exec() without proper escaping. An attacker with certificates:manage permission can inject arbitrary commands, executed on backend restart (typically as root in Docker deployments).

Vulnerability Details

Incorrect escaping order:

Codeconst escapedCredentials = certificate.meta.dns_provider_credentials
    .replaceAll("'", "\\'")
    .replaceAll("\\", "\\\\");

Backslashes are escaped after single quotes, breaking the protection and allowing injection. Example input:

Codex' ; cmd ; #

Results in command execution:

Codeecho 'x\\' ; cmd ; #'

Proof of Concept (PoC)

1. Store payload in dns_provider_credentials
2. Restart backend
3. Payload executes via /bin/sh -c inside exec()

Reliable in Docker since /etc/letsencrypt/credentials/ is not persisted. Example payload:

Codefake' > /dev/null; CMD ; echo '

Risk and Impact

• Full RCE
• Access to secrets, TLS keys, database
• Service disruption and persistence

Fix

Code.replaceAll("\\", "\\\\")
.replaceAll("'", "\\'");

Disclaimer

This document is provided for informational and security awareness purposes only. The information is shared responsibly to help improve software security and should not be used for malicious activities.

Author

Yassine Damiri