CVE-2025-69201
Unknown Unknown - Not Provided
Command Injection in Tugtainer-Agent API Allows Arbitrary Argument Execution

Publication date: 2025-12-29

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69201
EUVD
EUVD-2025-205598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quenary tugtainer to 1.15.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Tugtainer versions prior to 1.15.1 allows arbitrary arguments to be injected into the tugtainer-agent via the POST api/command/run endpoint. This means an attacker could potentially execute unintended commands or manipulate the application behavior through this injection flaw. The issue is fixed in version 1.15.1.

Impact Analysis

The vulnerability can lead to unauthorized command execution or manipulation of the Tugtainer application, potentially compromising the security and integrity of the docker container update automation process. This could result in system compromise, data loss, or disruption of services.

Mitigation Strategies

Upgrade Tugtainer to version 1.15.1 or later, as this version fixes the arbitrary argument injection vulnerability in tugtainer-agent's POST api/command/run endpoint.

Detection Guidance

The vulnerability involves arbitrary argument injection in the POST api/command/run endpoint of the tugtainer-agent. To detect exploitation attempts on your system or network, you should monitor HTTP POST requests to the api/command/run endpoint for suspicious or malformed commands that do not comply with the expected command schema. Since the fix involves strict validation of commands, any commands that fail validation or contain unexpected flags or arguments could indicate an attempt to exploit this vulnerability. Specific detection commands are not provided in the resources, but you can use network monitoring tools (e.g., tcpdump, Wireshark) or web server logs to filter POST requests to api/command/run and inspect their payloads for unusual or unauthorized commands. For example, using curl or similar tools to test the endpoint with malformed commands could help verify if the system is patched. However, no explicit detection commands are given in the provided resources. [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart