CVE-2020-7614
Command Injection vulnerability in npm-programmatic (npm)
What is CVE-2020-7614 About?
All versions of `npm-programmatic` are vulnerable to Command Injection due to improper input sanitization. The package directly passes unsanitized `rules` input to `exec` calls within its `install`, `uninstall`, and `list` functions. This flaw allows attackers to execute arbitrary code on the system if they can control the package name provided to these functions, making exploitation potentially severe and straightforward.
Affected Software
Technical Details
The npm-programmatic package fails to properly sanitize user-controlled input. Specifically, the install, uninstall, and list functions directly pass input rules to an underlying exec call. If an attacker can control the package name or other parameters passed to these functions, they can inject arbitrary shell commands. These commands will then be executed with the privileges of the application running npm-programmatic, leading to arbitrary code execution on the host system. This is a classic command injection scenario facilitated by trusting unsanitized input within a system command execution context.
What is the Impact of CVE-2020-7614?
Successful exploitation may allow attackers to execute arbitrary commands on the underlying operating system, leading to full system compromise, data theft, data loss, and unauthorized access.
What is the Exploitability of CVE-2020-7614?
Exploitation requires the attacker to control the input to the install, uninstall, or list functions within npm-programmatic, specifically values that become part of the command executed by exec. This is possible if the application using npm-programmatic processes user-supplied package names or similar parameters without sanitization. The complexity of exploitation is generally low, as it's a direct command injection. Authentication requirements depend on whether the vulnerable functions are accessible to unauthenticated users or if prior authentication is needed to provide the malicious input. Privilege requirements would be those of the user running the npm-programmatic application. Remote exploitation is likely if the application exposes an interface that accepts user-controlled package names.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7614?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-7614
- https://osv.dev/vulnerability/GHSA-426h-24vj-qwxf
- https://snyk.io/vuln/SNYK-JS-NPMPROGRAMMATIC-564115
- https://github.com/Manak/npm-programmatic/blob/master/index.js#L18
- https://snyk.io/vuln/SNYK-JS-NPMPROGRAMMATIC-564115
- https://github.com/Manak/npm-programmatic/blob/master/index.js#L18
- https://www.npmjs.com/advisories/1507
What are Similar Vulnerabilities to CVE-2020-7614?
Similar Vulnerabilities: CVE-2023-38646 , CVE-2023-29499 , CVE-2023-26116 , CVE-2022-33980 , CVE-2022-22965
