Share
## https://sploitus.com/exploit?id=38325F5A-9EC3-54A2-8A43-27D680589288
# Warp Terminal RCE (CVE-2024-41997)

Command injection via unsanitized `warp://` URI scheme handler. Full writeup at [0day.gg](https://0day.gg/blog/warp-terminal-rce/).

## Summary

| Property | Value |
|----------|-------|
| CVE | CVE-2024-41997 |
| Vulnerability | Command Injection (CWE-77) |
| Target | Warp Terminal (macOS) |
| Affected | < v0.2024.07.16.08.02 |
| Impact | Arbitrary command execution |
| Auth Required | None (1-click) |
| Attack Vector | Malicious `warp://` URL |

## Vulnerability

Warp registers a custom `warp://` URI scheme for Docker integration. The `/docker/open_subshell` action accepts a `shell` parameter that is incorporated into a command string without sanitization:

```
warp://action/docker/open_subshell?container_id=0&shell=INJECTION
```

The `container_id` is restricted to hex characters but is not validated against running containers. The `shell` parameter accepts arbitrary input, enabling command injection via shell metacharacters.

## Usage

1. Host `pwn.html` on a web server or open locally
2. Target clicks the link while Warp is running
3. Payload executes with Docker daemon privileges

The included PoC writes `id` output to `/tmp/hax` and terminates Warp to conceal the attack.

## Files

| File | Purpose |
|------|---------|
| `pwn.html` | 1-click RCE PoC |