Node.js third-party modules: `open` concatenates unsanitized input into exec() command

ID H1:319473
Type hackerone
Reporter chalker
Modified 2019-12-13T17:06:57


I would like to report command injection in open. It allows to inject arbitrary shell commands by specifing crafted urls.


module name: open version: 0.0.5 npm page:

Module Description

> Open a file or url in the user's preferred application.

Module Stats

31 293 downloads in the last day 473 107 downloads in the last week 1 968 932 downloads in the last month

~23 627 184 estimated downloads per year


Vulnerability Description

Urls are not properly escaped before concatenating them into the command that is opened using exec().

Steps To Reproduce:

js require("open")("`touch /tmp/tada`");

Observe /tmp/tada/ file created.

Supporting Material/References:

  • Arch Linux Current
  • Node.js 9.5.0
  • npm 5.6.0
  • bash 4.4.012

Wrap up

  • I contacted the maintainer to let him know: N
  • I opened an issue in the related repository: N


User A who can pass urls for them being open-ed on machine B can execute arbitrary shell commands on machine B.