CVE-2026-25888
Remote Code Execution in Chartbrew API Before
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| depomo | chartbrew | to 4.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25888 is a high-severity Remote Code Execution (RCE) vulnerability in the open-source npm package Chartbrew version 4.8.0, patched in 4.8.1.
The vulnerability exists because the application uses the JavaScript Function() constructor with unsanitized user input in the testMongoQuery function inside ChartController.js.
An attacker who authenticates to the application can exploit the vulnerable API endpoint /project/[project id]/chart/test by injecting malicious code that executes arbitrary operating system commands on the server.
This allows the attacker to run OS commands, read or write files including sensitive data like source code, configuration files, secrets, and private keys, dump credentials and environment variables, exfiltrate or destroy data, install backdoors, pivot within internal networks, or disable the service.
The root cause is improper control of code generation (CWE-94), where externally influenced input is used to construct code without proper sanitization.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to complete system compromise.
- Attackers can execute arbitrary operating system commands on the server.
- They can read, modify, or delete sensitive files including source code, configuration files, secrets, and private keys.
- Credentials and environment variables can be dumped and exfiltrated.
- Data from MongoDB and other connected systems can be stolen or destroyed.
- Attackers can install backdoors and pivot within internal networks.
- The service can be disabled, causing availability issues.
Overall, this can result in large-scale data breaches, supply-chain attacks, and severe regulatory and financial consequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious API calls to the vulnerable endpoint `/project/[project id]/chart/test` in Chartbrew versions prior to 4.8.1. Specifically, look for unusual payloads that attempt to execute code via the JavaScript Function() constructor.'}, {'type': 'paragraph', 'content': "Since exploitation requires authentication and involves the use of the 'Connection' feature to obtain a MongoDB connection ID, monitoring authenticated requests to this feature and the vulnerable API endpoint is important."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can search application logs or network traffic for requests containing suspicious payloads similar to the example payload that executes OS commands, such as those containing `Function()` calls or attempts to run commands like `whoami`.'}, {'type': 'list_item', 'content': 'Check access logs or API logs for POST requests to `/project/[project id]/chart/test` with unusual payloads.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on server logs to find occurrences of `Function(` or suspicious JavaScript code in request bodies.'}, {'type': 'list_item', 'content': "Example command to search logs for suspicious payloads: `grep -r 'Function(' /path/to/chartbrew/logs/`"}, {'type': 'list_item', 'content': 'Monitor for unexpected child process executions or unusual system commands in server logs or via system monitoring tools.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade Chartbrew to version 4.8.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict access to the vulnerable API endpoint `/project/[project id]/chart/test` by limiting authentication and network access to trusted users only.'}, {'type': 'paragraph', 'content': "Monitor and audit logs for any signs of exploitation attempts and consider temporarily disabling the 'Connection' feature if possible to reduce attack surface."}, {'type': 'paragraph', 'content': 'Apply network-level protections such as firewall rules or API gateways to block or inspect suspicious requests targeting the vulnerable endpoint.'}] [1]