Upstream Calibre-Web application has unpatched vulnerabilities #1570

New Issue

Closed

opened 2025-11-20 05:12:35 -05:00 by saavagebueno · 3 comments

saavagebueno commented 2025-11-20 05:12:35 -05:00

Owner

Copy Link

Originally created by @vhsdream on GitHub (Jul 25, 2025).

✅ Have you read and understood the above guidelines?

yes

📜 What is the name of the script you are using?

calibre-web

📂 What was the exact command used to execute the script?

bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/calibre-web.sh)"

⚙️ What settings are you using?

• Default Settings
• Advanced Settings

🖥️ Which Linux distribution are you using?

Debian 12

📝 Provide a clear and concise description of the issue.

2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received no response. Today they have published the details of two vulnerabilities in the application, you can read about them here and here.

Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script.

Some info about the vulns:

• the Blind Command Injection vulnerability requires a malicious, authenticated Admin user to set the path to a malicious command or script. The vulnerable function will blindly execute the command, since there is no validation. It's possible to get a reverse shell via this method, but again, this can only be achieved by authenticated admins, so it's mitigated somewhat.
• the reDOS vulnerability allows any unauthenticated attacker to cause a denial of service by sending specially crafted input to the login form. Since this is possible without any authentication, Calibre-Web instances open to the internet are definitely vulnerable to this.

As far as I can tell, these vulns have only been patched in Autocaliweb - a fork of Calibre-Web and Calibre-Web Automated.

🔄 Steps to reproduce the issue.

See description

❌ Paste the full error output (if available).

See description

🖼️ Additional context (optional).

I just wanted to make this issue so that people using Calibre-Web are aware of this. I also want to make clear that the install and update scripts hosted by the Community Scripts org are not the source of the vulnerabilities - it's the upstream Calibre-Web source over which the org has no control.

We might want to consider temporarily removing the Calibre-Web scripts from the repo until there is an update from the Calibre-Web dev.

Originally created by @vhsdream on GitHub (Jul 25, 2025). ### ✅ Have you read and understood the above guidelines? yes ### 📜 What is the name of the script you are using? calibre-web ### 📂 What was the exact command used to execute the script? bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/calibre-web.sh)" ### ⚙️ What settings are you using? - [x] Default Settings - [ ] Advanced Settings ### 🖥️ Which Linux distribution are you using? Debian 12 ### 📝 Provide a clear and concise description of the issue. 2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received [no response](https://github.com/janeczku/calibre-web/issues/3427). Today they have published the details of two vulnerabilities in the application, you can read about them [here](https://fluidattacks.com/advisories/megadeth) and [here](https://fluidattacks.com/advisories/kino). Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script. Some info about the vulns: - the Blind Command Injection vulnerability requires a malicious, authenticated Admin user to set the path to a malicious command or script. The vulnerable function will blindly execute the command, since there is no validation. It's possible to get a reverse shell via this method, but again, this can only be achieved by authenticated admins, so it's mitigated somewhat. - the reDOS vulnerability allows any unauthenticated attacker to cause a denial of service by sending specially crafted input to the login form. Since this is possible without any authentication, Calibre-Web instances open to the internet are definitely vulnerable to this. As far as I can tell, these vulns have only been patched in [Autocaliweb](https://github.com/gelbphoenix/autocaliweb) - a fork of Calibre-Web and Calibre-Web Automated. ### 🔄 Steps to reproduce the issue. See description ### ❌ Paste the full error output (if available). See description ### 🖼️ Additional context (optional). I just wanted to make this issue so that people using Calibre-Web are aware of this. I also want to make clear that the install and update scripts hosted by the Community Scripts org are not the source of the vulnerabilities - it's the upstream Calibre-Web source over which the org has no control. We might want to consider temporarily removing the Calibre-Web scripts from the repo until there is an update from the Calibre-Web dev.

saavagebueno added the not a script issueexternalsecurity labels 2025-11-20 05:12:35 -05:00

saavagebueno closed this issue 2025-11-20 05:12:35 -05:00

saavagebueno commented 2025-11-20 05:12:35 -05:00

Author

Owner

Copy Link

@MickLesk commented on GitHub (Jul 25, 2025):

I don't use calibre, but from your description this looks like a critical CVE.

In my opinion we should remove the json from the website and backup the install script until a new version is released, what do you think?

@MickLesk commented on GitHub (Jul 25, 2025): I don't use calibre, but from your description this looks like a critical CVE. In my opinion we should remove the json from the website and backup the install script until a new version is released, what do you think?

saavagebueno commented 2025-11-20 05:12:36 -05:00

Author

Owner

Copy Link

@vhsdream commented on GitHub (Jul 25, 2025):

Realistically speaking, the worst that could happen is the denial of service. Although it's not outside the realm of possibility that you have people out there who didn't change the default admin password (or have an easily brute-forced one) that have exposed their Calibre-Web to the internet, in which case an attacker could gain root-level access to the LXC. Luckily by default it's unprivileged, but still not a good idea to have any kind of compromise.

I agree with you and think we should pull the script.

@vhsdream commented on GitHub (Jul 25, 2025): Realistically speaking, the worst that could happen is the denial of service. Although it's not outside the realm of possibility that you have people out there who didn't change the default admin password (or have an easily brute-forced one) that have exposed their Calibre-Web to the internet, in which case an attacker could gain root-level access to the LXC. Luckily by default it's unprivileged, but still not a good idea to have any kind of compromise. I agree with you and think we should pull the script.

saavagebueno commented 2025-11-20 05:12:36 -05:00

Author

Owner

Copy Link

@michelroegl-brunner commented on GitHub (Jul 26, 2025):

Removed for now.

@michelroegl-brunner commented on GitHub (Jul 26, 2025): Removed for now.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

github-action-update-changelog

pr-update-app-files

add-script-bambuddy-1774853250

MickLesk-patch-1

fix/immich-maintenance-mode-redis-error

fix/npm-unmask-openresty-on-migration

fix/ollama-intel-gpg-error-handling

github-action-archive-changelog

add-script-yourls-1774732133

add-script-matter-server-1774638379

fix/dispatcharr-pg-port

cron_update_lxc

chore/immich-v2.6.3

add-script-geopulse-1774548387

cdn_improvements

add-script-birdnet-1774535320

fix/tools-func-exit-codes

fix/immich-update-db-hostname

update/frigate-0.17.1

fix/use-absolute-path-for-install

fix/pin-npm-version

shell_safe_fixes

remove_booklore

chore/update-url-community-scripts

komodov2

refactor/turnkey-modernize

add-script-nextexplorer-1774344421

add-script-homebrew-1774342032

fix/shell-security-hardening-v2

improve/build-func-performance-cleanup

fix/build-dns-prefix

fix/anytype-mongodb-wait

fix/frigate-cpu-model-path

copilot/fix-installation-failure-isponsorblocktv

fix/reactive-resume-add-git

copilot/scanopy-fix-apt-configuration-error

add-script-isponsorblocktv-1774009652

add-script-alpine-wakapi-1774008954

fix/coder-code-server-existing-config-and-reachability

add-script-teleport-1773928044

CrazyWolf13-patch-wealthfolio-1

refactor/tools-func-qol

fix/stirling-pdf-jdk-reinstall

fix/pinned-version-wording

MickLesk-patch-10

fix/reactive-resume-v5013

fix/tracearr-update-version-oom

copilot/fix-hdd-space-for-owncast

tremor021-patch-6

pocketbase_bot

disp_fix

fix/tdarr-binary-check-curl-retry

MickLesk-patch-9

refactor/podman-quadlets

alpine-ntfy

refactor/jellyfin

CrazyWolf13-patch-11

feature/autousermod_hwaccell

add-script-split-pro-1773677692

fix/frigate-openvino-fallback

fix/paperless-ngx-default-ram

fix/plex-restart-after-update

fix/gluetun-openvpn-env

MickLesk-patch-8

termix_add_guacd

MickLesk-patch-7

fix/tududi-nodejs-in-update

fix/sparkyfitness-npm-peer-deps

docs/website-metadata-workflow

fix-pbs_microcode

remove_jsons

michelroegl-brunner-patch-4

add-script-test-1773325265

cleanup_workflows

feat/remove-frontend

automated/update-github-versions

feat/mode-generated

fix/n8n-build-essential

fix/sparkyfitness-shared-deps

fix/rocm-path-escaping

fix/storage-validation-cross-node

fix/frigate-nvidia-version-regex

arm64-build-support

readme

michelroegl-brunner-patch-3

fix/coder-code-server-backup

copilot/fix-immich-update-dependency-issue

rust

fix/linkwarden-update-playwright

fix/powerdns-sqlite-permissions

fix/duplicate-nameserver-searchdomain

CrazyWolf13-patch-7

feat/ollama-rocm-support

fix/seerr-migration-update-script

preflight_tests

adgu_fix

2026-03-30

2026-03-29

2026-03-28

2026-03-27

2026-03-26

2026-03-25

2026-03-24

2026-03-23

2026-03-22

2026-03-21

2026-03-20

2026-03-19

2026-03-18

2026-03-17

2026-03-16

2026-03-15

2026-03-14

2026-03-13

2026-03-12

2026-03-11

2026-03-10

2026-03-09

2026-03-08

2026-03-07

2026-03-06

2026-03-05

2026-03-04

2026-03-03

2026-03-02

2026-03-01

2026-02-28

2026-02-27

2026-02-26

2026-02-25

2026-02-24

2026-02-23

2026-02-22

2026-02-21

2026-02-20

2026-02-19

2026-02-18

2026-02-17

2026-02-16

2026-02-15

2026-02-14

2026-02-13

2026-02-12

2026-02-11

2026-02-10

2026-02-09

2026-02-08

2026-02-07

2026-02-06

2026-02-05

2026-02-04

2026-02-03

2026-02-02

2026-02-01

2026-01-31

2026-01-30

2026-01-29

2026-01-28

2026-01-27

2026-01-26

2026-01-25

2026-01-24

2026-01-23

2026-01-22

2026-01-21

2026-01-20

2026-01-19

2026-01-18

2026-01-17

2026-01-16

2026-01-15

2026-01-14

2026-01-13

2026-01-12

2026-01-11

2026-01-10

2026-01-09

2026-01-08

2026-01-07

2026-01-06

2026-01-05

2026-01-04

2026-01-03

2026-01-02

2026-01-01

2025-12-31

2025-12-30

2025-12-29

2025-12-28

2025-12-27

2025-12-26

2025-12-25

2025-12-24

2025-12-23

2025-12-22

2025-12-21

2025-12-20

2025-12-19

2025-12-18

2025-12-17

2025-12-16

2025-12-15

2025-12-14

2025-12-13

2025-12-12

2025-12-11

2025-12-10

2025-12-09

2025-12-08

2025-12-07

2025-12-06

2025-12-05

2025-12-04

2025-12-03

2025-12-02

2025-12-01

2025-11-30

2025-11-29

2025-11-28

2025-11-27

2025-11-26

2025-11-25

2025-11-24

2025-11-23

2025-11-22

2025-11-21

2025-11-20

2025-11-19

2025-11-18

2025-11-17

2025-11-16

2025-11-15

2025-11-14

2025-11-13

2025-11-12

2025-11-11

2025-11-10

2025-11-09

2025-11-08

2025-11-07

2025-11-06

2025-11-05

2025-11-04

2025-11-03

2025-11-02

2025-11-01

2025-10-31

2025-10-30

2025-10-29

2025-10-28

2025-10-27

2025-10-26

2025-10-25

2025-10-24

2025-10-23

2025-10-22

2025-10-21

2025-10-20

2025-10-19

2025-10-18

2025-10-17

2025-10-16

2025-10-15

2025-10-14

2025-10-13

2025-10-12

2025-10-11

2025-10-10

2025-10-09

2025-10-08

2025-10-07

2025-10-06

2025-10-05

2025-10-04

2025-10-03

2025-10-02

2025-10-01

2025-09-30

2025-09-29

2025-09-28

2025-09-27

2025-09-26

2025-09-25

2025-09-24

2025-09-23

2025-09-22

2025-09-21

2025-09-20

2025-09-19

2025-09-18

2025-09-17

2025-09-16

2025-09-15

2025-09-14

2025-09-13

2025-09-12

2025-09-11

2025-09-10

2025-09-09

2025-09-08

2025-09-07

2025-09-06

2025-09-05

2025-09-04

2025-09-03

2025-09-02

2025-09-01

2025-08-31

2025-08-30

2025-08-29

2025-08-28

2025-08-27

2025-08-26

2025-08-25

2025-08-24

2025-08-23

2025-08-22

2025-08-21

2025-08-20

2025-08-19

2025-08-18

2025-08-17

2025-08-16

2025-08-15

2025-08-14

2025-08-13

2025-08-12

2025-08-11

2025-08-10

2025-08-09

2025-08-08

2025-08-07

2025-08-06

2025-08-05

2025-08-04

2025-08-03

2025-08-02

2025-08-01

2025-07-31

2025-07-30

2025-07-29

2025-07-28

2025-07-27

2025-07-26

2025-07-25

2025-07-24

2025-07-23

2025-07-22

2025-07-21

2025-07-20

2025-07-19

2025-07-18

2025-07-17

2025-07-16

2025-07-15

2025-07-14

2025-07-11

2025-07-10

2025-07-09

2025-07-08

2025-07-07

2025-07-06

2025-07-05

2025-07-04

2025-07-03

2025-07-02

2025-07-01

2025-06-30

2025-06-29

2025-06-28

2025-06-27

2025-06-26

2025-06-25

2025-06-24

2025-06-23

2025-06-22

2025-06-21

2025-06-20

2025-06-19

2025-06-18

2025-06-17

2025-06-16

2025-06-15

2025-06-14

2025-06-13

2025-06-12

2025-06-11

2025-06-10

2025-06-09

2025-06-08

2025-06-07

2025-06-06

2025-06-05

2025-06-04

2025-06-03

2025-06-02

2025-06-01

2025-05-31

2025-05-30

2025-05-29

2025-05-28

2025-05-27

2025-05-26

2025-05-25

2025-05-24

2025-05-23

2025-05-22

2025-05-21

2025-05-20

2025-05-19

2025-05-18

2025-05-17

2025-05-16

2025-05-15

2025-05-14

2025-05-13

2025-05-12

2025-05-11

2025-05-10

2025-05-09

2025-05-08

2025-05-07

2025-05-06

2025-05-05

2025-05-04

2025-05-03

2025-05-02

2025-05-01

2025-04-30

2025-04-29

2025-04-28

2025-04-27

2025-04-26

2025-04-25

2025-04-24

2025-04-23

2025-04-22

2025-04-20

2025-04-21

2025-04-19

2025-04-18

2025-04-17

2025-04-15

2025-04-16

2025-04-14

2025-04-13

2025-04-12

2025-04-11

2025-04-10

2025-04-09

2025-04-08

2025-04-07

2025-04-06

2025-04-05

2025-04-04

2025-04-03

2025-04-02

2025-04-01

2025-03-31

2025-03-30

2025-03-29

2025-03-28

2025-03-27

2025-03-26

2025-03-25

2025-03-24

2025-03-23

2025-03-22

2025-03-21

2025-03-20

2025-03-19

2025-03-18

2025-03-17

2025-03-16

2025-03-15

2025-03-14

2025-03-13

2025-03-12

2025-03-11

2025-03-10

2025-03-09

2025-03-08

2025-03-07

2025-03-06

2025-03-05

2025-03-04

2025-03-03

2025-03-02

2025-03-01

2025-02-28

2025-02-27

2025-02-26

2025-02-25

2025-02-24

2025-02-23

2025-02-21

2025-02-20

2025-02-19

2025-02-18

2025-02-17

2025-02-16

2025-02-15

2025-02-14

2025-02-13

2025-02-12

2025-02-11

2025-02-10

2025-02-09

2025-02-08

2025-02-07

2025-02-06

2025-02-05

2025-02-04

2025-02-03

2025-02-02

2025-02-01

2025-01-31

2025-01-30

2025-01-29

2025-01-28

2025-01-27

2025-01-26

2025-01-24

2025-01-23

2025-01-22

2025-01-21

2025-01-20

2025-01-19

2025-01-18

2025-01-17

2025-01-16

2025-01-15

2025-01-14

2025-01-13

2025-01-11

2025-01-10

2025-01-09

2025-01-08

2025-01-07

2025-01-06

2025-01-05

2025-01-04

2025-01-03

2025-01-02

2025-01-01

2024-12-31

2024-12-30

2024-12-29

2024-12-28

2024-12-27

2024-12-26

2024-12-25

2024-12-23

2024-12-21

2024-12-20

2024-12-19

2024-12-18

2024-12-17

2024-12-16

2024-12-13

2024-12-12

2024-12-09

2024-12-08

2024-12-07

2024-12-06

2024-12-05

2024-12-04

2024-12-03

2024-12-02

2024-11-30

2024-11-29

2024-11-28

2024-11-27

2024-11-26

2024-11-25

2024-11-24

2024-11-23

Labels

Clear labels

🛑 Failure to comply with the guidelines

breaking change

bug

bug

bugfix

deferred

delete script

dependencies

enhancement

external

feature

github

help wanted

Implemented in VED waiting push to Main

in project pipeline

invalid

investigation

json

maintenance

new script

new script

nice to have

not a script issue

not planned

organization

pull-request

Mirrored from GitHub Pull Request

question

refactor

rename script

security

update script

website

wontdo

No Label external not a script issue security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/ProxmoxVE#1570