You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A set of miscellaneous utility functions for Node.js.
Vulnerability Overview
Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user input is given to the getpwnam function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
This vulnerability is due to use of the child_processexec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].
The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success to be executed, leading to the creation of a file called success in the /tmp directory.
From NodeMedic-FINE:
ACI in pixl-tools
Package source
Github repo
Package description
A set of miscellaneous utility functions for Node.js.
Vulnerability Overview
Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user input is given to the
getpwnam
function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.This vulnerability is due to use of the
child_process
exec
function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed toexec
[2].[1] https://cwe.mitre.org/data/definitions/77.html
[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback
Reproduction
The proof-of-concept code below illustrates the issue. Executing this code will cause the command
touch /tmp/success
to be executed, leading to the creation of a file calledsuccess
in the/tmp
directory.Environment: Node.js v15.5.0 on Linux
Steps to reproduce:
npm i pixl-tools@1.0.33
poc.js
, containing the PoC code.node poc.js
A file called
success
will be created in thetmp
directory as a result of the execution of the PoC.Mitigation
execFile
[1] orexecFileSync
[2] if possible, which do not spawn a shell.exec
that match a predefined allow-list.exec
such that they do not contain shell meta-characters such as$()
.To contact
jhuckaby jhuckaby@gmail.com
The text was updated successfully, but these errors were encountered: