CVE-2018-3785

Vulnerability

The package git-dummy-commit version 1.3.0 and earlier for npm contains a command injection vulnerability. The bug resides in an unescaped parameter that directly passes user-controlled input to a shell command, allowing arbitrary OS-level commands to be executed [1], [2].

Exploitation

An attacker needs to provide a specially crafted input to the affected parameter, which is then passed to a shell function without proper sanitization or escaping. No special network position or authentication is required if the attacker can control the parameter value used by the package [1], [2].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the process running the Node.js application. This can lead to full compromise of the system, including data exfiltration, data destruction, or further lateral movement [1], [2].

Mitigation

The vulnerable versions are <= 1.3.0. Users should upgrade to a patched version if available; as of the publication date (2018-08-17), no fix is mentioned in the references. The package may be considered abandoned or unmaintained. No workaround is provided. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1], [2].