When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link (https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13), this happens due to improper sanitization of user input.
1) npx create-strapi-app my-project --quickstart --template ";touch poc.txt;"
2) Perform "ls" command and you will see that a file called "poc.txt" was created in the current directory.
An attacker can execute arbitrary os commands which can help him perform local privilege escalation to gain root access if strapi package can be run as sudo.
Sanitize the input of template parameter before introducing it to the execution context.
Regards,
R.Srikar ([email protected]) & Abhishek S([email protected])