CVE-2013-7378
Description
CVE-2013-7378: Hubot Scripts email.coffee before 2.4.4 uses exec() with unsanitized user input, allowing remote attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2013-7378: Hubot Scripts email.coffee before 2.4.4 uses exec() with unsanitized user input, allowing remote attackers to execute arbitrary commands.
Vulnerability
Overview
The vulnerability resides in scripts/email.coffee of the Hubot Scripts module for Node.js, prior to version 2.4.4. The sendEmail function constructs a shell command by interpolating user-supplied input directly into a string passed to child_process.exec(). Specifically, the email subject and message fields are concatenated into a command string without any sanitization or escaping [1][4]. This allows an attacker to inject arbitrary shell commands through the email subject or message parameters.
Exploitation
An attacker can exploit this by sending a crafted request to the Hubot instance that triggers the email command. The vulnerable command is activated via a chat message matching the pattern /email (.*) -s (.*) -m (.*)/i, where the first group provides recipients, the second is the subject, and the third is the message body. The subject and message are inserted directly into a shell command, so an attacker can include shell metacharacters (e.g., backticks, $(), semicolons) to execute arbitrary commands on the server running Hubot [3]. The fix, introduced in commit feee5ab, replaces exec() with execFile() and passes arguments as an array, preventing shell injection [4].
Impact
Successful exploitation allows a remote attacker to execute arbitrary operating system commands with the privileges of the Hubot process. This can lead to full compromise of the server, including data exfiltration, installation of malware, or pivot attacks within the network. The Node Security Project advisory for this issue noted it as a potential command injection vulnerability [2].
Mitigation
The vulnerability is fixed in Hubot Scripts version 2.4.4 and later. Users should upgrade to at least that version. No workaround is provided; the only remediation is to apply the patch. The CVE was published on 2020-02-12, but the vulnerability was originally reported in 2014 [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hubot-scriptsnpm | < 2.4.5 | 2.4.5 |
Affected products
2- Node.js/Hubot Scripts moduledescription
Patches
1feee5abdb038Fix code execution issue in email command.
1 file changed · +6 −4
src/scripts/email.coffee+6 −4 modified@@ -18,16 +18,18 @@ util = require 'util' child_process = require 'child_process' -exec = child_process.exec module.exports = (robot) -> emailTime = null sendEmail = (recipients, subject, msg, from) -> - mailCommand = """echo '#{msg}' | mail -s '#{subject}' -r '#{from}' '#{recipients}'""" - exec mailCommand, (error, stdout, stderr) -> + mailArgs = ['-s', subject, '-a', "From: #{from}", '--'] + mailArgs = mailArgs.concat recipients + p = child_process.execFile 'mail', mailArgs, {}, (error, stdout, stderr) -> util.print 'stdout: ' + stdout util.print 'stderr: ' + stderr + p.stdin.write "#{msg}\n" + p.stdin.end() robot.respond /email (.*) -s (.*) -m (.*)/i, (msg) -> - sendEmail msg.match[1], msg.match[2], msg.match[3], msg.message.user.id + sendEmail msg.match[1].split(" "), msg.match[2], msg.match[3], msg.message.user.id msg.send "email sent"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hwch-749c-rv63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7378ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/05/13/1ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2014/05/15/2ghsax_refsource_MISCWEB
- github.com/github/hubot-scripts/commit/feee5abdb038a229a98969ae443cdb8a61747782ghsax_refsource_MISCWEB
- web.archive.org/web/20140731222413/https://nodesecurity.io/advisories/Hubot_Potential_command_injection_in_email.coffeemitrex_refsource_MISC
- www.npmjs.com/advisories/13ghsaWEB
News mentions
0No linked articles in our index yet.