Intel

AIKIDO-2026-549490

open is vulnerable to Command Injection

Command Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

78

High Risk

This Affects:

RUSTopen
1.0.0 - 5.3.6
Fixed in 5.4.0
Are you affected? Scan for Free

TL;DR

The open crate passes caller-supplied URLs and file paths directly to the platform launcher without sanitizing them. On Unix-like systems, a path beginning with a dash is forwarded to the opener as a command-line option rather than a positional argument, allowing an attacker who controls the target to inject launcher flags. On Windows and WSL, the target is embedded inside a PowerShell -Command string, so metacharacters in an attacker-controlled path are interpreted as PowerShell syntax and can lead to arbitrary command execution. The fix passes the target through the OPEN_RS_TARGET environment variable so it is never interpolated into a shell command string, and uses end-of-options -- separators to prevent dash-leading paths from being parsed as options.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted URLs or file paths to the open crate.

Background info

open is vulnerable to Command Injection in versions 1.0.0 - 5.3.6.

How to fix this

Upgrade the open library to the patch version.