CVE-2017-16020

Vulnerability

The vulnerability resides in the PouchDB driver of the Summit web framework (versions 0.1.0 and later). In lib/drivers/search/pouch.js, a filter function is dynamically constructed by concatenating user-supplied opts.collection values into a string, which is then executed via eval(). An attacker can supply a malicious collection name containing arbitrary JavaScript code [1][3].

Exploitation

An attacker only needs to control the collection parameter passed to the PouchDB driver. This can be achieved via crafted HTTP requests or other input vectors. The code checks if collection is a string or array and builds a filter function with statements like "if (doc.type === '" + opts.collection + "')". The attacker can inject code such as ' + require('child_process').execSync('id') + ' to execute arbitrary commands. No authentication or special privileges are required [3].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the Node.js application, potentially resulting in remote code execution (RCE). This can allow the attacker to read sensitive files, exfiltrate data, or compromise the entire server [1][3].

Mitigation

The Summit repository has been archived and no official patch is available. Users should stop using the Summit framework or replace it with an alternative. If migration is not immediately possible, the vulnerable code in pouch.js should be refactored to avoid eval(), for example by using a whitelist of allowed collection names or using a safer alternative like Function constructor with strict input validation [3].