The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-32778

CVE-2025-32778: Web-Check Command Injection RCE Vulnerability

CVE-2025-32778 is a command injection vulnerability in Web-Check's screenshot API that allows remote code execution. Attackers can execute arbitrary commands by exploiting unsanitized URL inputs. This post covers mitigation steps.

Published: April 1, 2026

CVE-2025-32778 Overview

CVE-2025-32778 is a critical command injection vulnerability affecting Web-Check, an all-in-one OSINT tool for analyzing websites. The vulnerability exists in the screenshot API component of the Web-Check project (Lissy93/web-check), where user-controlled input via the url parameter is passed unsanitized into a shell command using the exec() function. This flaw allows remote attackers to execute arbitrary system commands on the underlying host, potentially leading to complete system compromise, file extraction, or establishment of persistent remote access.

Critical Impact

Remote attackers can execute arbitrary commands on servers running Web-Check, potentially extracting sensitive files, establishing reverse shells, or fully compromising the underlying infrastructure without authentication.

Affected Products

  • Web-Check (Lissy93/web-check) - versions prior to the security patch
  • Self-hosted Web-Check instances with exposed screenshot API endpoints
  • Docker deployments of Web-Check with vulnerable API configurations

Discovery Timeline

  • 2025-04-15 - CVE-2025-32778 published to NVD
  • 2025-04-16 - Last updated in NVD database

Technical Details for CVE-2025-32778

Vulnerability Analysis

This vulnerability represents a classic command injection flaw (CWE-78) in Node.js applications. The screenshot API endpoint in Web-Check accepts a url parameter from users that is intended to capture screenshots of web pages. However, this user-supplied input is passed directly to the exec() function from Node.js's child_process module without proper sanitization or validation.

The exec() function spawns a shell to execute commands, making it inherently dangerous when processing user input. Attackers can craft malicious URL parameters containing shell metacharacters (such as ;, |, &&, $(), or backticks) to break out of the intended command context and inject arbitrary commands that execute with the privileges of the Node.js process.

Root Cause

The root cause of this vulnerability is the use of exec() instead of safer alternatives for command execution. The exec() function in Node.js invokes a shell interpreter to process the command string, which interprets special characters and allows command chaining. When user input is concatenated into this command string without proper escaping or validation, attackers can inject additional commands.

The secure fix involves replacing exec() with execFile(), which executes a specific file directly without invoking a shell. This approach properly isolates arguments and prevents shell metacharacter interpretation, eliminating the command injection vector.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can send a crafted HTTP request to the screenshot API endpoint with a malicious url parameter. The payload could include commands to:

  • Extract sensitive files from the server filesystem (e.g., /etc/passwd, environment variables, configuration files)
  • Download and execute malicious payloads
  • Establish reverse shell connections for persistent access
  • Pivot to other systems on the internal network
  • Exfiltrate data or deploy ransomware
javascript
 import puppeteer from 'puppeteer-core';
 import chromium from 'chrome-aws-lambda';
 import middleware from './_common/middleware.js';
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 import { promises as fs } from 'fs';
 import path from 'path';
 import pkg from 'uuid';

Source: GitHub Commit Update

Detection Methods for CVE-2025-32778

Indicators of Compromise

  • Unusual outbound network connections from the Web-Check server process
  • Unexpected child processes spawned by Node.js with shell interpreters (/bin/sh, /bin/bash)
  • Web server logs containing suspicious url parameters with shell metacharacters (;, |, &&, backticks, $())
  • Evidence of file access attempts to sensitive system files like /etc/passwd or .env files

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests containing shell metacharacters in URL parameters
  • Monitor Node.js process behavior for unexpected command execution or shell spawning using endpoint detection tools
  • Analyze HTTP access logs for anomalous patterns in the screenshot API endpoint requests
  • Deploy runtime application self-protection (RASP) solutions to detect command injection attempts in real-time

Monitoring Recommendations

  • Enable detailed logging for all screenshot API requests including full URL parameters
  • Set up alerts for process execution anomalies where Node.js spawns unexpected child processes
  • Monitor network traffic for unusual egress connections that may indicate reverse shells or data exfiltration
  • Implement file integrity monitoring on critical system files and application directories

How to Mitigate CVE-2025-32778

Immediate Actions Required

  • Update Web-Check to the latest version that includes the security patch replacing exec() with execFile()
  • If immediate patching is not possible, disable or restrict access to the screenshot API endpoint
  • Review server logs for any indicators of exploitation attempts
  • Conduct a security assessment of any Web-Check instances that may have been exposed

Patch Information

The vulnerability has been addressed in the Web-Check project by replacing the vulnerable exec() function with execFile() in the api/screenshot.js file. The fix is available in commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef. Organizations should update their Web-Check installations by pulling the latest changes from the repository or deploying updated container images. For more details, see the GitHub Security Advisory GHSA-5qg5-g7c2-pfx8 and Pull Request #243.

Workarounds

  • Restrict network access to the screenshot API endpoint using firewall rules or reverse proxy configurations
  • Implement input validation at the reverse proxy level to reject requests containing shell metacharacters
  • Run Web-Check in an isolated container environment with minimal privileges and restricted filesystem access
  • Deploy Web-Check behind authentication to prevent unauthenticated access to API endpoints
bash
# Example: Restrict screenshot API access via nginx
location /api/screenshot {
    # Deny external access to vulnerable endpoint
    allow 127.0.0.1;
    deny all;
    
    # Or require authentication
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    
    proxy_pass http://localhost:3000;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechWeb Check
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability32.41%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-78
  • Technical References
  • GitHub Commit Update
  • GitHub Pull Request #243
  • GitHub Security Advisory GHSA-5qg5-g7c2-pfx8
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English