CVE-2019-10777

The vulnerability is a command injection flaw in the aws-lambda npm package (versions <1.0.5). The package's deploy functionality constructs a shell command (zipCmd) using the config.FunctionName parameter without sanitization, then passes it to the Node.js exec() function [1][3]. This allows an attacker to inject arbitrary commands by providing a malicious FunctionName value.

Exploitation requires an attacker to control the configuration file used by aws-lambda, specifically the FunctionName field. The attacker can craft a value containing shell metacharacters (e.g., "& touch Song &") which gets concatenated into the command string [3]. No authentication is needed beyond access to the configuration file; the attack is local to the system running the deploy command.

Successful exploitation allows arbitrary command execution with the privileges of the user running aws-lambda. An attacker could execute system commands, potentially leading to data exfiltration, installation of malware, or lateral movement within the environment [2][3].

The issue was fixed in version 1.0.5 of aws-lambda [2][3]. Users should upgrade to the latest version. No workarounds are documented; the fix involves proper sanitization of the FunctionName input before use in exec().