Arbitrary Code Injection

Affecting growl package, versions <1.10.0

Do your applications use this vulnerable package? Test your applications

Overview

growl is a package adding Growl support for Nodejs.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

Upgrade growl to version 1.10.0 or higher.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits
CVE
CVE-2017-16042
CWE
CWE-94
Snyk ID
npm:growl:20160721
Disclosed
21 Jul, 2016
Published
01 May, 2017