# Patch Analysis: CVE-2026-5463 ## Status of Fix **CRITICAL FINDING**: As of the analysis date (2026-04-04), there is **NO PATCH AVAILABLE** on PyPI for CVE-2026-5463. - PyPI latest version: 1.0.6 (vulnerable) - Fixed version claimed: 1.0.7+ (NOT RELEASED) - GitHub repository: No commit referencing CVE-2026-5463 fix found ## Vulnerable Code Locations The vulnerability exists in TWO locations within `pymetasploit3/msfrpc.py` in the `MsfConsole.run_module_with_output()` method: ### Location 1: Module Options (Line 2299) ```python for k in opts.keys(): options_str += 'set {} {}\n'.format(k, opts[k]) # VULNERABLE ``` **Attack Vector**: Attacker injects malicious values into module options (e.g., `RHOSTS`, `RPORT`) ### Location 2: Payload Options (Line 2316) ```python for k, v in payload.runoptions.items(): if v is None or (isinstance(v, str) and not v): continue options_str += 'set {} {}\n'.format(k, v) # VULNERABLE ``` **Attack Vector**: Attacker injects malicious values into payload options (e.g., `LHOST`, `LPORT`) ## What a Fix Must Address A proper fix would need to: 1. **Sanitize newline characters** (`\n`, `\r`) from all option values before interpolation 2. **Sanitize both locations** - both module options and payload options 3. **Consider other metacharacters** - semicolons (`;`) could potentially be used for command chaining in Metasploit console ### Proposed Fix Strategy ```python # Sanitization function def _sanitize_option_value(value): if not isinstance(value, str): return value # Remove newlines and carriage returns sanitized = value.replace('\n', '').replace('\r', '') return sanitized # Application in run_module_with_output() for k in opts.keys(): safe_value = _sanitize_option_value(opts[k]) options_str += 'set {} {}\n'.format(k, safe_value) # And for payload options: for k, v in payload.runoptions.items(): if v is None or (isinstance(v, str) and not v): continue safe_value = _sanitize_option_value(v) options_str += 'set {} {}\n'.format(k, safe_value) ``` ## Fix Assumptions and Potential Gaps ### Assumption 1: Newlines are the only dangerous character **Risk**: Metasploit console may interpret other characters as command separators ### Assumption 2: Only `run_module_with_output()` is affected **Risk**: Other functions that build console commands may have similar issues ### Functions NOT vulnerable (confirmed): - `MsfModule.execute()` - Uses RPC API directly (msgpack), not console command building - `ModuleManager.execute()` - Uses RPC API directly - `MsfConsole.write()` - Direct console write (caller controls entire command) ### Code Paths NOT Covered by Typical Fix: 1. **Payload options injection** (line 2316) - May be missed if fix only addresses module options 2. **Non-string option values** - Type confusion not addressed 3. **Custom console commands** built via `write()` - Out of scope by design ## Bypass Potential If a fix only addresses newlines in module options but misses: - Payload options at line 2316 → **BYPASS POSSIBLE** - Other whitespace characters → **BYPASS POSSIBLE** - Case variations (unicode newlines) → **BYPASS POSSIBLE** ## Recommendations for Complete Fix 1. Sanitize BOTH module options AND payload options 2. Use an allowlist approach or strict input validation 3. Consider using the RPC API (`ModuleExecute`) instead of console command building when possible 4. Add unit tests with malicious inputs to prevent regression 5. Document security boundary: console commands vs RPC API ## Related Code Paths - `MsfConsole.run_module_with_output()` - Main vulnerable function - `MsfModule.execute()` - Safe alternative using RPC API - `ModuleManager.execute()` - Safe alternative using RPC API ## Conclusion The vulnerability is **UNPATCHED** as of analysis date. When a fix is released, it must address both module options and payload options to be complete. The safest approach is to avoid building console command strings with user input entirely, and use the RPC API which serializes data properly.