{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/groovy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nuclio \u003c= 1.15.27"],"_cs_severities":["critical"],"_cs_tags":["code-injection","rce","template-injection","kubernetes","ci-cd","groovy"],"_cs_type":"advisory","_cs_vendors":["Nuclio"],"content_html":"\u003cp\u003eA critical vulnerability (CWE-94, Improper Control of Generation of Code) has been discovered in Nuclio's Java runtime, affecting versions up to and including 1.15.27. This flaw enables unauthenticated attackers to achieve remote code execution (RCE) within the build environment. The vulnerability stems from the Dashboard API's default NOP authentication and a lack of input validation on the \u003ccode\u003eruntimeAttributes.repositories\u003c/code\u003e field. Attackers can embed arbitrary Groovy code into this field, which is then unescaped and directly written into the \u003ccode\u003ebuild.gradle\u003c/code\u003e file during the function build process. This injected code executes unconditionally during the Gradle configuration phase with root privileges inside the builder container, leading to a complete compromise of the build system. The issue was dynamically verified and confirmed to allow commands like \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ehostname\u003c/code\u003e, and \u003ccode\u003ewhoami\u003c/code\u003e to execute as the root user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends an HTTP POST request to the Nuclio Dashboard API's \u003ccode\u003e/api/functions\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request body includes a malicious \u003ccode\u003eruntimeAttributes.repositories\u003c/code\u003e field within the function definition, containing Groovy code designed to break out of the \u003ccode\u003erepositories {}\u003c/code\u003e block and execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe Dashboard API receives the request; due to default NOP authentication, no credentials or input validation are performed on the \u003ccode\u003eruntimeAttributes.repositories\u003c/code\u003e content.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enewBuildAttributes()\u003c/code\u003e function decodes the \u003ccode\u003eruntimeAttributes\u003c/code\u003e without content inspection, allowing the malicious string to pass through.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreateGradleBuildScript()\u003c/code\u003e function uses Go's \u003ccode\u003etext/template\u003c/code\u003e engine to render the \u003ccode\u003eruntimeAttributes.repositories\u003c/code\u003e verbatim into the \u003ccode\u003ebuild.gradle\u003c/code\u003e file, without any contextual escaping.\u003c/li\u003e\n\u003cli\u003eThe generated \u003ccode\u003ebuild.gradle\u003c/code\u003e file now contains the attacker's injected Groovy code as top-level statements.\u003c/li\u003e\n\u003cli\u003eThe build process, executed by \u003ccode\u003e./build-user-handler.sh\u003c/code\u003e inside the \u003ccode\u003equay.io/nuclio/handler-builder-java-onbuild\u003c/code\u003e container, invokes \u003ccode\u003egradle tasks\u003c/code\u003e and \u003ccode\u003egradle userHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring Gradle's configuration phase, the injected Groovy statements are evaluated, executing the attacker's arbitrary commands (e.g., \u003ccode\u003eid \u0026amp;\u0026amp; hostname \u0026amp;\u0026amp; whoami\u003c/code\u003e) with root privileges (\u003ccode\u003euid=0\u003c/code\u003e) inside the build container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in unauthenticated remote code execution with root privileges on the Nuclio build container. An attacker can execute arbitrary commands, leading to full compromise of the build environment, potential data exfiltration, supply chain attacks by injecting malicious code into compiled artifacts, or further lateral movement within the hosting Kubernetes cluster. The proof-of-concept demonstrated execution of \u003ccode\u003eid \u0026amp;\u0026amp; hostname \u0026amp;\u0026amp; whoami\u003c/code\u003e commands, returning \u003ccode\u003euid=0(root) gid=0(root) groups=0(root)\u003c/code\u003e, confirming maximum privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Nuclio deployments immediately to a version greater than 1.15.27 (once available) as this version is confirmed vulnerable.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs on Linux build containers for suspicious shell command execution (e.g., \u003ccode\u003esh -c\u003c/code\u003e followed by system enumeration commands like \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ewhoami\u003c/code\u003e, \u003ccode\u003ehostname\u003c/code\u003e) with \u003ccode\u003ejava\u003c/code\u003e as a parent process running \u003ccode\u003egradle\u003c/code\u003e, as described in the detection rule below.\u003c/li\u003e\n\u003cli\u003eImplement robust authentication and authorization for the Nuclio Dashboard API, moving away from NOP authentication, to prevent unauthenticated access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:42:07Z","date_published":"2026-07-16T19:42:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nuclio-rce/","summary":"Nuclio's Java runtime dashboard API, by default configured with NOP authentication, is vulnerable to remote code execution (CWE-94) where attackers can inject arbitrary Groovy code into the unsanitized `runtimeAttributes.repositories` field, which is directly written into the `build.gradle` file, allowing the injected code to execute during the Gradle configuration phase as root within the build container.","title":"Nuclio Java Runtime Vulnerability Leads to Build-Time Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-nuclio-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Groovy","version":"https://jsonfeed.org/version/1.1"}