Intel

AIKIDO-2026-616489

appium-adb is vulnerable to OS Command Injection

OS Command Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 29, 2026

59

Medium Risk

This Affects:

JSappium-adb
0.0.3 - 15.0.2
Fixed in 15.0.3
Are you affected? Scan for Free

TL;DR

appium-adb constructs adb shell command lines such as am start -n <pkg>/<activity> from caller-supplied application package and activity names in startApp, buildStartCmd, and waitForActivityOrNot. Before the fix only the $ character was escaped, so names containing shell metacharacters such as ;, |, backticks, &&, or $(...) are passed unescaped into the command executed via adb shell. An application that forwards untrusted package or activity names lets an attacker break out of the intended component argument and run arbitrary commands on the connected device. The fix adds an assertSafeComponentName allowlist (SAFE_COMPONENT_NAME_PATTERN) that rejects illegal characters and escapes the remaining $ and * when building the component argument.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted package or activity names to the affected commands.

Background info

appium-adb is vulnerable to OS Command Injection in versions 0.0.3 - 15.0.2.

How to fix this

Upgrade the appium-adb library to the patch version.