Ghidra Command Injection via Unescaped URL Annotations

Ghidra versions before 12.1 contain a command injection vulnerability in URL annotation handling on Windows systems. When users click on URLs embedded in program comments, the application fails to properly escape cmd.exe metacharacters, allowing attackers to execute arbitrary commands with the privileges of the Ghidra user. This vulnerability is particularly dangerous for reverse engineers and security analysts who regularly analyze untrusted binaries and may be socially engineered into clicking malicious URLs hidden in code comments. Organizations using Ghidra for malware analysis, vulnerability research, or binary review are at risk of compromise if they open projects containing crafted comments from untrusted sources.

While this CVE lacks explicit MITRE ATT&CK mapping, Casky's AI-driven analysis would detect attack patterns consistent with Command and Scripting Interpreter (T1059) and Application Layer Protocol (T1071) techniques through behavioral detection of URL handler invocation chains and subprocess execution flows. A practitioner reviewing findings would observe suspicious patterns such as URL-triggered cmd.exe spawning, unevaluated metacharacter sequences in annotation data, and execution context mismatches between user intent and actual command execution. By mapping input validation failures and process execution chains, Casky's extended reasoning would help security teams identify similar injection patterns across their reverse engineering workflows and implement defensive controls around annotation handling in development tools.