CVE-2024-36057 Overview
CVE-2024-36057 is a command injection vulnerability in Koha Library Management System versions before 23.05.10. The flaw exists in upload-cover-image.pl, where user-controlled filenames are passed directly to a shell command without sanitization. Attackers can craft a .zip archive containing files with shell metacharacters in their names. When an administrator processes the uploaded archive, the embedded shell commands execute on the server with the privileges of the web application. The vulnerability is classified under CWE-94: Improper Control of Generation of Code.
Critical Impact
Remote attackers can achieve unauthenticated remote code execution on Koha servers by uploading a malicious ZIP archive and triggering cover image processing.
Affected Products
- Koha Library Management System versions prior to 23.05.10
- Koha 22.05.x branch prior to 22.05.22
- Deployments exposing the upload-cover-image.pl staff interface
Discovery Timeline
- 2026-04-07 - CVE-2024-36057 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2024-36057
Vulnerability Analysis
The vulnerability resides in the cover image upload workflow of Koha. The Perl script upload-cover-image.pl accepts a ZIP archive containing book cover images and processes the archive on the server. To extract the contents, the script executes the following Perl construct: qx/unzip $filename -d $dirname/;. The qx// operator in Perl invokes a shell to execute the interpolated command string. Because $filename is derived from attacker-controlled input without escaping or validation, any shell metacharacters in the filename break out of the intended unzip invocation. This results in arbitrary command execution as the user running the Koha web service.
Root Cause
The root cause is missing input sanitization combined with unsafe command invocation. Koha interpolates the user-supplied filename directly into a string passed to the shell. Safer alternatives such as system() with a list argument, or properly quoting and validating filenames against an allowlist of characters, would prevent the injection.
Attack Vector
An attacker with the ability to reach the cover image upload functionality crafts a ZIP file containing entries whose names include shell metacharacters such as backticks, semicolons, or $() command substitution syntax. After uploading the archive and clicking Process Images, Koha invokes unzip against the attacker-supplied filename, and the shell evaluates the injected commands. Exploitation does not require complex prerequisites and can yield full remote code execution on the Koha host.
Verified proof-of-concept material is available in the Hacklantic Research GitHub repository. Refer to that resource for the canonical exploitation steps.
Detection Methods for CVE-2024-36057
Indicators of Compromise
- Unexpected child processes of the Koha web service (plack, apache2, or koha-shell) spawning shells such as /bin/sh, /bin/bash, or perl one-liners
- ZIP files with unusual filenames containing characters like `, ;, |, &, or $( in Koha upload directories
- New or modified files under Koha's cover image storage paths immediately following an upload event
- Outbound network connections initiated by the Koha service to attacker-controlled hosts shortly after a upload-cover-image.pl request
Detection Strategies
- Inspect web server access logs for POST requests to upload-cover-image.pl followed by GET requests triggering the Process Images action
- Hunt for process lineage where unzip or the Koha Perl interpreter is the parent of an interactive shell
- Apply YARA or grep rules over uploaded ZIP archives to flag entries whose names contain shell metacharacters
Monitoring Recommendations
- Enable detailed audit logging on the Koha staff interface and forward events to a centralized SIEM
- Monitor file integrity on Koha application directories and the system cron and authorized_keys paths
- Alert on anomalous egress from library application servers, which typically have predictable network patterns
How to Mitigate CVE-2024-36057
Immediate Actions Required
- Upgrade Koha to version 23.05.10, 22.05.22, or later as soon as possible
- Restrict access to the staff interface and upload-cover-image.pl endpoint to trusted networks using firewall or reverse proxy rules
- Audit recent uploads and process activity on Koha servers for signs of exploitation
- Rotate credentials and API tokens stored on the Koha host if compromise is suspected
Patch Information
The Koha community remediated the issue in the 23.05.10 release. See the Koha 23.05.10 release notes and the Koha 23.05.11 release notes for full details. The Koha 22.05.22 release announcement addresses the same issue on the prior stable branch.
Workarounds
- Disable the cover image upload feature in Koha administrative settings until patches can be applied
- Place the staff interface behind VPN or IP allowlisting to limit exposure
- Review and remove untrusted ZIP archives from Koha upload directories before any administrator triggers Process Images
# Verify your Koha version and plan an upgrade
dpkg -l | grep koha-common
# Expected output should show 23.05.10 or later, or 22.05.22 on the 22.05 branch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
