CVE-2025-57282
Command Injection Vulnerability in ngrok
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ngrok | ngrok | to 4.3.3 (inc) |
| ngrok | ngrok | to 5.0.0-beta.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57282 is a command injection vulnerability in the npm package ngrok, specifically affecting versions 4.3.3 and 5.0.0-beta.2.
This flaw allows attackers to execute arbitrary commands on the system by exploiting the way ngrok processes certain inputs.
A proof of concept demonstrated that an attacker could use malicious options to create files or run commands on the affected system.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on your system where the vulnerable ngrok package is installed.
Such command execution can lead to unauthorized access, data manipulation, system compromise, or the installation of malicious software.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the vulnerable versions of the npm package ngrok (4.3.3 or 5.0.0-beta.2) are installed on your system.
Additionally, detection can involve looking for signs of exploitation such as the presence of unexpected files created by the command injection, for example a file named "Dremig486" in the current directory.
A possible command to check the installed version of ngrok is:
- npm list ngrok
To search for the suspicious file created by exploitation attempts, you can run:
- find . -name "Dremig486"
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or upgrading the vulnerable versions of the ngrok package (4.3.3 or 5.0.0-beta.2) to a version that is not affected by the command injection vulnerability.
If an upgrade is not available, consider disabling or restricting the use of ngrok until a secure version is released.
Also, monitor your system for any suspicious activity or files that may indicate exploitation attempts.