Advisories for Golang/Github.com/Nuclio/Nuclio package

This vulnerability exists in Nuclio's Shell Runtime component, allowing attackers with function invocation permissions to inject malicious commands via HTTP request headers, execute arbitrary code with root privileges in function containers, steal ServiceAccount Tokens with cluster-admin level permissions, and ultimately achieve complete control over the entire Kubernetes cluster. Recommended CWE classification: CWE-78 (OS Command Injection). Nuclio Shell Runtime processes the X-Nuclio-Arguments HTTP header without validation or escaping, directly concatenating user …