<p>Upgrade <code>script-manager</code> to version 0.9.0 or higher.</p>

Arbitrary Code Execution Affecting script-manager package, versions <0.9.0

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

EPSS 8.49% (95^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-SCRIPTMANAGER-548308
published 7 Feb 2020
disclosed 26 Jul 2019
credit Vasilii Ermilov

Report a new vulnerability Found a mistake?

Introduced: 26 Jul 2019

CVE-2020-8129 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

Upgrade script-manager to version 0.9.0 or higher.

Overview

script-manager is a manager for running foreign and potentially dangerous scripts in the cluster.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It runs HTTP server as a child process and sends requests to this server. The server dynamically loads (with help of require()) some parts of the code, as long as the path to the required code depends on the data from the request (req.body.options.execModulePath). If an attacker knows the port of the server, it is possible to load code that was not intended to execute.