CVE-2023-2479 - OS Command Injection in appium/appium-desktop Before v1.22.3-4—What Happened, How It Works, and How to Stay Safe

CVE-2023-2479 is a security vulnerability that made headlines in 2023 after being discovered in the appium/appium-desktop project. For those dealing with mobile app automation, Appium Desktop is a well-known tool. But if you’ve used a version prior to v1.22.3-4, you could be at risk of OS Command Injection—a flaw that lets attackers execute system commands with the privileges of the running app.

This post will break down the vulnerability, show code snippets to illustrate the issue, demonstrate how an attacker might exploit it, and help you secure your systems. All in plain, practical language.

What is the CVE-2023-2479 Vulnerability?

The short answer: OS Command Injection means a program takes unsanitized user input and runs it as a shell command. In the context of Appium Desktop (before v1.22.3-4), this meant that a malicious actor could get the app to run any command on your computer.

Official NVD Listing:  
- https://nvd.nist.gov/vuln/detail/CVE-2023-2479

GitHub Security Advisory:  
- https://github.com/appium/appium-desktop/security/advisories/GHSA-2gvj-cc6v-8hfg

Where Was the Bug?

The vulnerability was introduced by a backend route in Appium Desktop that accepted user input and passed it directly to the operating system shell. This was typically used to start or interact with device sessions, but the input was not properly sanitized.

A simplified example in JavaScript (Node.js context)

// BAD CODE – vulnerable version
const child_process = require('child_process');

app.post('/start-device', (req, res) => {
    const deviceName = req.body.deviceName; // comes from user input
    // UNSAFE: User input directly put into shell command!
    child_process.exec(adb start-server --device ${deviceName}, (err, stdout, stderr) => {
        if (err) {
            res.status(500).send(stderr);
        } else {
            res.send(stdout);
        }
    });
});

Here, if a user types pixel4 as the device name, it runs

adb start-server --device pixel4

But if someone puts in something like pixel4 ; rm -rf /, then it runs

adb start-server --device pixel4 ; rm -rf /

That second part could destroy files on your system.

Step 1: Find the Vulnerable Endpoint

The attacker discovers the app's API is exposed locally (or, in some setups, to the network) and identifies the exact route (like /start-device).

Instead of sending a normal device name, the attacker sends a payload

dummyDevice ; uname -a > /tmp/hacked.txt

Step 3: Gain System Access

The server receives the input and concatenates it into a shell command, so the OS executes both the intended command and malicious command (here, dumping system info to a file).

HTTP Request Example (using curl)

curl -X POST http://localhost:4723/start-device -d '{"deviceName":"dummy ; uname -a > /tmp/hacked"}' -H 'Content-Type: application/json'

This will create (or overwrite) /tmp/hacked with the output of uname -a.

Step 4: Escalate or Persist

Once the attacker can run commands, they can do nearly anything: steal files, install malware, or use the compromised desktop to attack other systems.

How Did Appium Fix It?

Starting with version v1.22.3-4, the code was patched to properly sanitize user input or use safer alternatives:

// GOOD CODE – safe version
const { spawn } = require('child_process');

app.post('/start-device', (req, res) => {
    const deviceName = req.body.deviceName;
    // SAFE: user input passed as an argument, not to the shell, so special chars have no effect
    const proc = spawn('adb', ['start-server', '--device', deviceName]);
    proc.on('close', (code) => {
        res.send(Process exited with code ${code});
    });
});

Here, there’s no way to sneak in shell syntax (;, &&, etc).

How to Stay Safe?

1. Update appium/appium-desktop to at least v1.22.3-4.
  - Get the latest releases here
2. Do not run Appium Desktop as root/admin unless absolutely required.

Restrict network access to the API endpoints—keep them local, not open on public interfaces.

4. If you’re a developer, never concatenate user input into system shell commands. Use parameterized APIs like spawn, not exec.

Further Reading

- CWE-78: OS Command Injection
- OWASP Command Injection
- Node.js child_process documentation

Takeaway

CVE-2023-2479 is a classic but dangerous type of vulnerability—one line of insecure code can compromise your entire machine. The fix is simple, so upgrade old Appium Desktop versions now. As a rule, treat all user input with suspicion, and never pass it directly to your operating system’s shell.

Stay updated. Stay safe.

*This post is exclusive content for developers and users who rely on open-source automation tools. Secure your pipeline, and spread the word!*

Timeline

Published on: 05/02/2023 15:15:00 UTC
Last modified on: 05/17/2023 17:05:00 UTC