TinyWeb CGI Command Injection
Security Advisory - CVE Request 1971570 (ID pending assignment). Date: 2025-12-27.
Summary
TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests.
Severity: Critical (CVSS 3.1 Base Score: 9.8)
Vulnerability Details
| CVE ID | CVE Request 1971570 (ID pending assignment) |
|---|---|
| Vulnerability Type | OS Command Injection (CWE-78) |
| Attack Type | Remote |
| Attack Vector | Network (unauthenticated HTTP request) |
| Vendor | Maxim Masiutin |
| Product | TinyWeb HTTP Server |
| Affected Versions | All versions before 1.98 (0.5 through 1.97) |
| Fixed Version | 1.98 (November 23, 2025) |
| Affected Component | CGI ISINDEX query handler, ExecuteScript function |
| Impact | Code Execution, Information Disclosure, Denial of Service, Privilege Escalation |
CVSS 3.1 Score
| Base Score | 9.8 Critical |
|---|---|
| Vector String | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
Technical Details
Root Cause
When processing HTTP requests to CGI scripts with query strings that do not contain an equals sign (=), TinyWeb treats the query as ISINDEX-style input per RFC 3875 Section 4.4. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess().
Prior to version 1.98, these query parameters were appended directly to the command line without sanitization, allowing injection of Windows shell metacharacters.
Affected Code Path
THTTPServerThread.Executeparses HTTP request- Query string without
=triggers ISINDEX mode ExecuteScript()appends query to command lineCreateProcess()executes with unsanitized input
Attack Vector
An attacker sends an HTTP request with shell metacharacters in the query string:
GET /cgi-bin/script.exe?arg1&calc.exe HTTP/1.1 Host: target.example.com
The & character is interpreted by the Windows command processor, causing calc.exe (or any other command) to execute. Other dangerous characters include: | < > ^ ( ) % ! " ' ` ; $
Exploitation Requirements
- TinyWeb version before 1.98
- At least one CGI script present in
cgi-bindirectory - Network access to the TinyWeb server
Fix Applied in Version 1.98
Version 1.98 implements two-layer defense-in-depth in SrvMain.pas (lines 799-862):
1. Whitelist Validation (Optional)
Function IsQueryParamSafe() validates that query parameters contain only safe characters: [A-Za-z0-9._-/\:]. Parameters with other characters are rejected with HTTP 400 Bad Request. Controlled by STRICT_CGI_PARAMS define (enabled by default).
2. Apache-style Escaping (Always Active)
Function EscapeShellParam() escapes Windows shell metacharacters with caret (^) and wraps parameters in quotes. This provides protection even when whitelist validation is disabled.
References
Mitigation
Recommended: Upgrade to TinyWeb version 1.98 or later.
Workaround: If upgrade is not possible, remove or disable all CGI scripts from the cgi-bin directory.
Timeline
| November 23, 2025 | Vulnerability discovered and fixed in version 1.98 |
|---|---|
| November 23, 2025 | Version 1.98 released with fix |
| December 27, 2025 | CVE requested from MITRE |
| TBD | CVE ID assigned |
Credit
Discovered by Maxim Masiutin (maintainer).
Other TinyWeb CVEs Fixed
| CVE-2024-5193 | CRLF Injection (CWE-93) - Fixed in v1.99. CRLF characters in URLs reflected in Location headers. |
|---|---|
| CVE-2024-34199 | Buffer Overflow (CWE-787) - Fixed in v1.99. Large request elements cause DoS. CVSS 8.6 High. |
| CVE-2004-2636 | Path Traversal (CWE-22) - Fixed in v1.93+. Directory traversal via /../../../ sequences. |
| CVE-2003-1510 | Denial of Service - Fixed in v1.93+. Malformed cgi-bin requests cause CPU consumption. |