Project Address: Project Address 1Panel Official website: https://www.1panel.cn/ Time: 2025 07 26 Version: 1panel V2.0.5 Vulnerability Summary First, we introduce the concepts of 1panel v2 Core and Agent. After the new version is released, 1panel adds the node management function, which allows you to control other hosts by adding nodes. The HTTPS protocol used for communication between the Core and Agent sides did not fully verify the authenticity of the certificate during certificate verification, resulting in unauthorized interfaces. The presence of a large number of command execution or high-privilege interfaces in the 1panel led to RCE. Code audit process First we go to the Agent HTTP routing fileagent/init/router/router.go It was found that the Routersreference function in the function Certificatewas globally checked.agent/middleware/certificate.go The discovery Certificatefunction determines c.Request.TLS.HandshakeCompletewhether certificate communication has been performed Since c.Request.TLS.HandshakeCompletethe true or false judgment is determined by agent/server/server.gothe code Startfunctiontls.RequireAnyClientCert Note:：Here due to the use of tls.RequireAnyClientCert instead of tls.RequireAndVerifyClientCert，RequireAnyClientCert Only require the client to provide a certificate，Does not verify the issuance of certificates CA，So any self assigned certificate will pass TLS handshake。 The subsequent Certificatefunction only verified that the CN…Read More