pwneglyph logo

Note

web javascript nodejs inspector sigusr1 devtools-protocol rce

Open a Node process's inspector with SIGUSR1, then use the DevTools protocol to evaluate code in that process.

DevTools / Node Inspector Pivot via SIGUSR1

Node opens the inspector on SIGUSR1 by default in many contexts. Once open, the DevTools protocol gives code-evaluation power inside that process — often a privilege-boundary bypass when the main runtime is hardened but a signalable side process has more freedom.

Why It Works

  • SIGUSR1 starts the inspector listener; Runtime.evaluate over the WebSocket runs arbitrary code in the target process.

Vulnerable Pattern

  • Multi-process Node apps where one process can signal another and local inspector access is reachable on 127.0.0.1.

Exploit Flow

  1. Find the target PID and confirm SIGUSR1 is not blocked.
  2. Open the inspector, fetch /json/list, and recover the WebSocket endpoint.
  3. Send Runtime.evaluate or other DevTools commands to read files or invoke privileged APIs.

Variations

  • Multiple worker processes, alternate inspector ports, or already-open inspector endpoints.

Common Blockers

  • Container signal restrictions, no path to the target PID, or inspector disabled by runtime flags.

PoC Sketch

kill -USR1 <pid>
curl http://127.0.0.1:9229/json/list
# then connect to the returned WebSocket and run Runtime.evaluate

Good Situations To Use It

  • You can signal another Node process.
  • The inspector port is reachable on localhost.
  • The signalable process has more privileges than your foothold.

Sources

  • fcsc2026/web/fcsc_aquarium