Arbitrary Code Execution

2019-06-20T20:20:45
ID NODEJS:1015
Type nodejs
Reporter Peisheng Lin(SYM01), Dong Lee
Modified 2019-06-26T14:35:29

Description

Overview

Versions of require-node prior to 1.3.4 for 1.x and 2.0.4 for 2.x are vulnerable to Arbitrary Code Execution. The package fails to sanitize requests to the require-node endpoint, allowing attackers to execute arbitrary code in the server through the injection of OS commands in the request body.

Recommendation

  • If you are using 1.x, upgrade to version 1.3.4 or later.
  • If you are using 2.x, upgrade to version 2.0.4 or later.