🦄 Node.js Security

~ 1 min read

Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone

share on
A command injection vulnerability exists for this command line tool that is available on the npmjs registry.

The following report is a disclosure of a command injection vulnerability discovered in the fast-git-clone command line tool, which is used to clone git repositories quickly. Unfortunately, the maintainer did not respond to multiple attempts to contact them regarding this security issue.

Resources:

Vulnerability Details

The fast-git-clone CLI accepts a URL as a command line argument for a remote repository to clone, such as:

fgc clone <repo>

The code in src/index.js on line 62 at the current tip of the branch makes use of command and command arguments concatenation from user input, which allows users to escape the git program and run any other arbitrary commands.

Exploitation

  1. Run fgc clone ";touch /tmp/clonepwn #"
  2. Observe the file /tmp/clonepwn created on the system.

Impact

This vulnerability is capable of allowing arbitrary commands on a system, even if users are only allowed to use fgc.

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit