eDEX-UI is archived and abandoned (October 2021). This vulnerability allows remote command execution through cross-site WebSocket hijacking. The original maintainers have no plans to patch this issue.
CVE-2023-30856 - Cross-site WebSocket Hijacking β Remote Command Execution (RCE)
- Severity: CRITICAL 10.0 (NIST NVD) / High 8.3 (GitHub CNA)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None (automatic when browsing web)
- Scope: Changed
- Impact: HIGH Confidentiality, Integrity, Availability compromise
- User runs eDEX-UI (opens WebSocket on localhost)
- User visits malicious website in browser
- Website connects to eDEX-UI's WebSocket (
ws://localhost:3000) - Website sends arbitrary commands to your shell
- Commands execute with your user privileges
edex-ui/src/classes/terminal.class.js:458
this.wss.on("connection", ws => {
Since no official patch exists, this community fix implements origin validation:
// REPLACE the WebSocket server initialization with:
this.wss = new this.Websocket({
port: this.port,
clientTracking: true,
verifyClient: info => {
// Existing single connection limit
if (this.wss.clients.length >= 1) {
return false;
}
// CRITICAL FIX: Block external origins
const origin = info.req.headers.origin;
if (origin && !origin.startsWith("file://")) {
console.log(`π‘οΈ BLOCKED malicious connection from: ${origin}`);
return false;
}
return true;
}
});- β Malicious websites connecting to your terminal
- β Remote command execution attacks
- β Cross-site WebSocket hijacking
- β Unauthorized shell access
Location: src/classes/terminal.class.js around line 458
Find the WebSocket server creation and add the verifyClient validation shown above.
After patching, malicious connection attempts will be logged:
BLOCKED malicious connection from: https://malicious-site.com
eDEX-UI should continue working normally with local file-based connections.
Since no patch will be released, the original team suggests:
- Shut down eDEX-UI when browsing the web
- Run eDEX-UI with minimal privileges (limited user account)
These workarounds are impractical for normal use - applying the community patch is recommended.
eDEX-UI uses legacy dependencies that are challenging to build on modern systems:
# Use Node.js 16.x (required for compatibility)
nvm use 16.20.2
# Install build tools (Ubuntu/Debian)
sudo apt-get install build-essential python3-dev
# For other systems:
# CentOS/RHEL: sudo yum groupinstall "Development Tools"
# Arch: sudo pacman -S base-devel python
# macOS: xcode-select --installIf building fails persistently, you can run eDEX-UI in development mode with the security patch:
# Apply the patch to src/classes/terminal.class.js
# Then run in development mode:
npm startNote: Development mode still applies your security patch and is safer than unpatched eDEX-UI.
- Any website can execute commands on your system
- MAXIMUM severity rating - Complete system compromise possible
- No user interaction required
- Works silently in background
- Full access to your user account privileges
- Confidentiality, Integrity, and Availability all HIGH impact
- External WebSocket connections blocked
- Local functionality preserved
- Attack surface significantly reduced
- Other undiscovered vulnerabilities likely exist
- Dependencies are 3+ years old with known security issues
- No future security updates will be provided
- Compatibility with modern systems will degrade
For Security-Conscious Users: Migrate to maintained alternatives
- Warp - Modern terminal with AI features
- Hyper - Electron-based, actively maintained
- Alacritty - Fast, GPU-accelerated
- Kitty - Feature-rich with good performance
- Windows Terminal - Microsoft's modern terminal
- iTerm2 - macOS-specific advanced terminal
- Cool-retro-term - Retro terminal aesthetics
- Terminator - Multiple terminal panes
- Guake/Yakuake - Drop-down terminals
- Custom themes in modern terminals can replicate the sci-fi look
- β Addresses the specific CVE-2023-30856 vulnerability
- β Maintains original functionality
- β Does not modify licensing or distribution rights
β οΈ Provided "as-is" without warrantyβ οΈ Users assume responsibility for modifications
- Not recommended for production environments
- Personal use only - understand the security implications
- Regular security monitoring is essential
- Network isolation strongly recommended
- CVE Database: CVE-2023-30856
- NVD Published: April 28, 2023
- NVD Last Modified: November 21, 2024
- NIST CVSS: 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- GitHub CNA CVSS: 8.3 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
- GitHub Security Advisory: GHSA-q8xc-f2wf-ffh9
- CWE Classifications: CWE-346 (Origin Validation Error), CWE-1385 (Missing Origin Validation in WebSockets)
- Reporter: aufzayed
- WebSocket Hijacking: https://christian-schneider.net/CrossSiteWebSocketHijacking.html
- Vulnerable Code:
edex-ui/src/classes/terminal.class.js:458 - CWE Classification: CWE-1385
eDEX-UI is abandoned software with a critical RCE vulnerability. The original maintainers will not provide patches. This community fix prevents the specific attack while you plan migration to maintained software.
π Apply this patch immediately if you continue using eDEX-UI. Plan migration to secure, maintained alternatives.