CVE-2020-7729
Arbitrary Code Execution vulnerability in grunt (npm)
What is CVE-2020-7729 About?
The `grunt` package before 1.3.0 is vulnerable to Arbitrary Code Execution due to its default usage of `js-yaml`'s insecure `load()` function instead of `safeLoad()` within `grunt.file.readYAML`. This flaw allows attackers to execute arbitrary code by supplying a malicious YAML file. Exploiting this vulnerability is relatively easy if an attacker can provide crafted YAML input.
Affected Software
Technical Details
The grunt package, specifically its grunt.file.readYAML function, utilizes the js-yaml library to parse YAML files. The vulnerability stems from its default use of js-yaml's load() function instead of the more secure safeLoad(). The load() function in js-yaml is known to be capable of deserializing arbitrary JavaScript objects and invoking constructors, which can lead to arbitrary code execution if a specially crafted YAML string is provided. An attacker can embed a JavaScript constructor call directly within a YAML file (e.g., !!js/function > function() { require('child_process').execSync('rm -rf /'); }()). When such a YAML file is read by grunt.file.readYAML and processed by the insecure js-yaml.load(), the embedded JavaScript code is executed within the context of the Node.js application, leading to arbitrary code execution on the system.
What is the Impact of CVE-2020-7729?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2020-7729?
Exploitation involves an attacker providing a specially crafted malicious YAML file to an application that processes it using grunt.file.readYAML. The complexity is low to moderate, depending on how easily an attacker can introduce or modify YAML files processed by grunt. No authentication is required if the application accepts untrusted YAML input. This is a remote attack if the attacker can upload or provide the YAML file over a network. The primary prerequisite is that the application uses a vulnerable version of grunt and reads YAML files from an untrusted source. The risk of exploitation is significantly increased if project configurations or user-defined workflows involve YAML files that are subject to external modification.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7729?
Available Upgrade Options
- grunt
- <1.3.0 → Upgrade to 1.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-7729
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922
- https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249
- https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
- https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922
- https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249
- https://usn.ubuntu.com/4595-1/
- https://osv.dev/vulnerability/GHSA-m5pj-vjjf-4m3h
What are Similar Vulnerabilities to CVE-2020-7729?
Similar Vulnerabilities: CVE-2017-16070 , CVE-2019-10740 , CVE-2019-12290 , CVE-2020-13936 , CVE-2021-3796
