← Back
Summary
code injection in gem (CVE-2026-41512). Successful exploitation can lead to full system takeover. Exploitable via `POST /targets/auto_detect_selectors`.
AI summary openai / gpt-4o
A critical vulnerability has been identified in the AI model safety tool "ai-scanner". This issue allows attackers to inject malicious code, resulting in arbitrary execution without requiring user intervention. The vulnerability affects versions from 1.0.0 to before 1.4.1, and upgrading to version 1.4.1 resolves the issue. Immediate update is strongly advised if your company uses this tool.
Between versions 1.0.0 and 1.4.1 of ai-scanner, a RCE vulnerability exists via JavaScript injection in `BrowserAutomation::PlaywrightService`. The gateway is the `POST /targets/auto_detect_selectors` endpoint where URLs are improperly escaped before insertion into Node.js scripts, allowing execution of arbitrary code. The issue is patched in 1.4.1. Update command: `gem update ai-scanner`. No workaround has been provided, immediate update is required.
❓ What is the problem
A remote code execution vulnerability through JavaScript injection.
📍 Affected scope
In `BrowserAutomation::PlaywrightService` via `POST /targets/auto_detect_selectors`, specifically by interpolating unescaped URLs.
🔥 Severity
Critical risk due to potential remote code execution without user intervention.
🔧 How to fix
Update to ai-scanner version 1.4.1.
🛡️ Workaround
No workaround specified.
🔍 Detection
Monitor for unusual requests to `POST /targets/auto_detect_selectors` with suspicious URLs.
Related past incidents Similar incidents extracted from past CVEs
Similar RCE via unescaped input leading to arbitrary code execution in web applications.
Pulse Connect Secure Remote Code Execution Vulnerability (similar execution path exploitation).
Although different in nature, Heartbleed is an infamous example of a critical exploit.
If this happens at your company Expected impact per business scenario
📌 For companies utilizing AI model security assessments with ai-scanner.
Potential unauthorized access to critical systems and sensitive information exposure due to RCE vulnerability.
📌 Organizations using Docker environments integrated with ai-scanner.
Exploitation can lead to lateral movement across Docker containers, compromising multiple services.
📌 SaaS providers offering model validation services through ai-scanner.
Service disruption and potential data breach leading to loss of trust and financial penalties.
Recommended action
Organizations should update their ai-scanner installations to version 1.4.1 immediately and review security settings.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
Audit SBOM/dependencies for affected components.依存マニフェストで影響コンポーネントを特定する。
-
2Match against affected range verify
Confirm if version satisfies `>= 1.0.0, <= 1.4.0`Step 1 で見つかったバージョンが影響範囲 `>= 1.0.0, <= 1.4.0` に該当するか照合。本番で稼働中ならインシデント扱い。
-
3Hunt for indicators of compromise detect
grep 'POST /targets/auto_detect_selectors' /var/log/nginx/access.log | grep -E '(unusual_payload|sqli_pattern)'アクセスログで `POST /targets/auto_detect_selectors` への異常なリクエスト (不正な認証ヘッダ・SQLメタ文字)を過去 30〜90日分捜索。WAF/SIEM があれば該当パスのアラート発火履歴を確認。
-
7Post-deployment verification verify
Replay attack against POST /targets/auto_detect_selectors on staging to confirm patch closes the vectorパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。