Nuclio's cron-trigger CronJob spec injects unsanitized event headers/body into a shell command — persistent RCE
Nuclio's controller builds a curl invocation for every cron-triggered function and drops it straight into a Kubernetes CronJob's /bin/sh -c args; an attacker-controlled event header key breaks the quoting, and the event body survives Go's strconv.Quote enough to smuggle $() command substitution (CVSS 10.0). Because the payload is baked into the CronJob spec rather than a request handler, the RCE persists across restarts until the CronJob itself is edited or deleted — this is function-as-a-service infrastructure executing on behalf of whoever can reach the trigger config, not just the invoked function. Patch to the fixed commit and audit any existing cron-triggered NuclioFunctions for CronJob specs that already contain unexpected shell metacharacters.