AIKIDO-2026-10146
github.com/inspektor-gadget/inspektor-gadget is vulnerable to Command Injection
66
Medium Risk
This Affects:
github.com/inspektor-gadget/inspektor-gadgetTL;DR
Affected versions of this package allow command injection during image build because user-controlled fields from the gadget manifest are interpolated into Makefile.build targets without proper escaping; specifically, parameters like CFLAGS, source paths, and other build options are passed directly to make. An attacker who can influence build.yml (e.g., in CI/CD pipelines building untrusted gadgets) can inject shell metacharacters to execute arbitrary commands during the build, resulting in code execution on the local host when --local is used, or inside the build container otherwise.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/inspektor-gadget/inspektor-gadget is vulnerable to Command Injection in versions 0.1.0 - 0.48.1.
How to fix this
Upgrade the github.com/inspektor-gadget/inspektor-gadget library to the patch version.
Links
Fix Commits
github.com/inspektor-gadget/inspektor-gadget/commit/7c83ad84ff7a68565655253e2cf1c5d2da695c1agithub.com/inspektor-gadget/inspektor-gadget/commit/d9bf2fe4a180dad33ce57ca793ff4799ee7b8320
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant