Impact
An authenticated Nginx-UI user could modify protected settings such as the terminal start command and later trigger command execution through the web terminal workflow [S1]. GitHub Security Lab reported that this can lead to authenticated remote code execution, privilege escalation, and information disclosure when a vulnerable Nginx-UI runtime is deployed with the affected settings path reachable [S2].
Root Cause
CVE-2024-22198 is a command-injection issue in Nginx-UI settings handling, tracked as CWE-77 [S3]. The vulnerable code path allowed user-controlled settings data to influence a command that Nginx-UI later executed when terminal functionality was used [S2]. The upstream fix added protected settings handling so sensitive command-related fields cannot be overwritten through the settings API [S4].
How FixVibe covers it
FixVibe's GitHub repo scan can flag Go module metadata that resolves github.com/0xJacky/Nginx-UI to a version affected by CVE-2024-22198 / GHSA-8r25-68wm-jw35 / GO-2024-2462 [S1][S5]. The finding is reported as a version-based advisory: evidence includes the package, version, file path, affected range, fixed version, confidence, source quality, and the distinction between verified dependency evidence and unverified runtime exploitability.
FixVibe does not authenticate to Nginx-UI, change settings, modify start_cmd, open terminal sessions, execute commands, send command-injection strings, or claim live remote-code-execution confirmation from repository metadata. Public HTTP fingerprints alone are also not enough for this finding because they cannot reliably prove the deployed module version, patch/backport state, terminal exposure, authenticated user boundary, or whether the scanned repository is the runtime serving production traffic.
Remediation
Upgrade Nginx-UI to Go pseudo-version 1.9.10-0.20231219184941-827e76c46e63, Nginx-UI 2.0.0.beta.9, or a newer vendor-supported release [S1][S3]. Regenerate Go module metadata, rebuild every binary or container image that includes Nginx-UI, verify the deployed artifact no longer carries the affected version, and rerun the FixVibe GitHub repo scan.
While the upgrade rolls out, keep Nginx-UI administrative and terminal functionality restricted to trusted operators and trusted networks. Treat access restrictions as defense in depth: the durable fix is a rebuilt runtime that includes the protected-settings patch.
