Skills
skills/wgpsec/aboutsecurity/hugegraph-exploit/Gen Agent Trust Hub

hugegraph-exploit

Fail

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides functional Java reflection payloads to achieve remote code execution (RCE) by bypassing the Gremlin Groovy sandbox in Apache HugeGraph. These payloads are designed to execute system commands through ProcessBuilder.
  • [COMMAND_EXECUTION]: Includes a functional Python script (hugegraph_cve_2024_27348.py) and a Bash script that automate the exploitation process and allow for the execution of arbitrary commands provided by the user against target systems.
  • [DATA_EXFILTRATION]: Contains specific payloads and instructions for Out-of-Band (OOB) data exfiltration, demonstrating how to pipe sensitive data from command output to an external server using curl.
  • [CREDENTIALS_UNSAFE]: Includes a hardcoded, functional administrative JWT token for bypassing authentication in HugeGraph-Server versions prior to 1.5.0.
  • [REMOTE_CODE_EXECUTION]: Contains functional reverse shell payloads (e.g., bash -i >& /dev/tcp/...) to establish persistent command-line access to vulnerable servers.
Recommendations
  • CRITICAL: 1 infected file(s) detected - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 22, 2026, 10:07 AM