When creating a new user, the username isn't escaped (see line 174, user.js).
As such, one could send a request to the API with the username eg. "; sudo rm -Rf --no-preserve-root /; echo " and run commands as root on the server.
The username is validated during registration. Those commands are only run if the username is in the database which would require registration so at NO POINT would this work. Let me remind you once again that the V1 branch is frozen and all work is being done on V2.
Berates someone for reporting a vulnerability saying "it's validated during registration... at NO POINT would this work".
Silently fixes in a commit, leaving OP looking like a dumbass.
+1, you were right. I assumed we had something to prevent this within our couchdb setup but we don't. I didn't write any of this code, excuse me for not knowing it like the back of my hand.