OS Command Injection in ljharb/npm-lockfile

Valid

Reported on

Feb 28th 2022


Description

npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability.

Proof of Concept

// npm i npm-lockfile@2.0.3

const getLockfile = require('npm-lockfile/getLockfile');
getLockfile("./package-lock.json", "08/01/2022",{"only":"prod|touch /tmp/rce"}) // a file named rce will be created at /tmp

Impact

This vulnerability is capable of executing arbitrary command on the hosting operating system.

We are processing your report and will contact the ljharb/npm-lockfile team within 24 hours. 2 years ago
We have contacted a member of the ljharb/npm-lockfile team and are waiting to hear back 2 years ago
Jordan Harband modified the report
2 years ago
Jordan Harband
2 years ago

Maintainer


This is indeed an issue, which v3+ works around by no longer shelling out to npm.

It feels like 8.8 is too high a score - anything where you'd have to attack yourself is barely a vulnerability at all. When this becomes a CVE, please ensure it is scored accordingly low.

Either way, I've released a fix in v2.0.5 as well, so now v2 is safe from this self-attack. v1 lacks "only" support, and v3 uses Arborist instead of shelling out, so they're both immune. Also note that v2.0.3 is the version that added "only" support (it should have been a minor, oops) so only v2.0.3 and v2.0.4 are vulnerable.

Jordan Harband validated this vulnerability 2 years ago
xiaofen9 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jordan Harband marked this as fixed in v2.0.5 with commit bfdb84 2 years ago
Jordan Harband has been awarded the fix bounty
Feng Xiao
2 years ago

Researcher


Could you help assign a CVE for this vulnerability? Credit to: Feng Xiao, Zhongfu Su. Thanks. @admin

Jamie Slome
2 years ago

Hey Feng, Jordan πŸ‘‹

We can assign a CVE here, as long as Jordan is happy to do so.

Jordan - regarding the CVSS, I can see that you adjusted the CVSS, but was there a reason you didn't adjust this to 8.8 instead of a lower score before approving? Just trying to see if there was a bug here, or something confusing on the platform?

Jordan Harband
2 years ago

Maintainer


Mainly because the score is only calculated from all the buttons, and technically all the button answers are correct (after my adjustment).

I'm not sure what score would be appropriate for a self-attack, but tbh i'd consider it slightly above zero.

I'm fine with there being a CVE - i just don't want it to imply this was more dangerous than it actually is.

Jamie Slome
2 years ago

Thanks for the response Jordan!

I will arrange a CVE, and adjust the severity of the report to a significantly lower score, i.e. ~ 1.0 (Low) severity mark.

Are you happy for me to proceed?

Jordan Harband
2 years ago

Maintainer


Yep, thank you!

Jamie Slome
2 years ago

I have adjusted the CVSS to as low as I can get it without changing the meaning of the vector items drastically.

For the record, the previous score was 8.8 (High) and has been reduced to 3.8 (Low). For anyone viewing this report from the CVE record, please see the maintainer's (Jordan) comments above on security impact.

CVE-2022-0841 assigned and published! 🎊

Jordan Harband
2 years ago

Maintainer


The CVE says "prior to v2.0.5", but the only vulnerable versions are v2.0.3 and v2.0.4. Can you edit the description to be more precise?

Jamie Slome
2 years ago

Adjustments made here πŸ‘

to join this conversation