Skip to content

azu/msgpack-CVE-2021-23410-test

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
index.js
index.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Test for https://snyk.io/vuln/SNYK-JS-MSGPACK-1296122

This looks like not vulerbility.

var assert = require('assert');
var msgpack = require('msgpack');
function sleep(ms) {
  return new Promise((resolve) => {
    setTimeout(resolve, ms);
  });
}
async function init() {
  var normal = { "a": 1, "b": 2, "c": [1, 2, 3] };
  var malicious = msgpack.pack({
    exploit: function () {
      // Note(by @azu): This Poc just run child_process.exec
      // It is not related to msgpack
      require('child_process').exec('echo code_executed!;sleep 3', function (error, stdout, stderr) {
        console.log(stdout)
      });
    }(),
  });
  var rce = msgpack.unpack(malicious);
  assert.deepEqual(rce, normal);
}

init();

PoC by Adi Malyanker

This PoC just run child_pross.exec, so This is not vulnerbiliy of msgpack.

Test

git clone git@github.com:azu/msgpack-CVE-2021-23410-test.git
cd msgpack-CVE-2021-23410-test
npm install
npm test

Related

About

No description, website, or topics provided.

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages