Lobsters: fail2ban RCE

Behold our future: so much AI-generated stuff that looks right enough that reviewers are going to be exhausted and just start approving things, and suddenly vulnerability feeds become useless firehoses of garbage

I see no reference to an upstream bug report, nor any matches for CVE‑2025‑45311 in the upstream fail2ban repo. I also don't see any reproducer with default filters?

The reproducer https://packetstorm.news/files/id/189989 is pretty different from the conditions listed at https://gist.github.com/R-Security/1c707a08f9c7f9a91d9d84b5010aaed2 in the CVE refs.

Specifically, in the former:

Check sudo permissions: Ensures the user has the ability to run fail2ban-client as root.

This is like making random tools suid. You can't do that (or make them runnable by sudo via configuration) without checking basically everything they can do.

In the gist:

Note: This demonstration must be done inside a controlled lab environment, using systems owned by the tester.

That's slop if I've ever seen it.

In the comments under the gist, an upstream bug report (by someone who's not the CVE requester) is mentioned:

https://github.com/fail2ban/fail2ban/issues/4110

It was closed for being the slop that it is.

If they have limited sudo privileges, you're probably doomed. Anyway. I agree, it seems like AI slop.

If a user can execute fail2ban-client with sudo,

I think we can all stop reading at this point? How is this even remote code exec?

allows attackers with limited sudo privileges to perform arbitrary operations as root.

This doesn't sound like RCE to me.