CVE-2019-10789

Vulnerability

Overview

The curling.js npm package, a simple wrapper for curl, contains an OS command injection vulnerability in its run(command, cb) function. The root cause is that the command argument is passed directly to a shell without any sanitization, allowing an attacker to inject arbitrary commands. The vulnerable code is located in lib/curl-transport.js [1][2].

Exploitation

Method

An attacker can exploit this by controlling the command argument passed to the run() function. No authentication is required if an attacker can influence this input, such as via a web application that uses user-supplied data in the command string. The Snyk advisory provides a proof-of-concept that uses a semicolon to inject a new command: root.run("& touch JHU", function(){}) [3]. This demonstrates that the input is not sanitized before being executed by the shell.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the server or system running the application that uses the vulnerable curling package. This can lead to full system compromise, data exfiltration, or further lateral movement. The CVSS score is 9.8 (Critical), reflecting the severe remote code execution risk [1].

Mitigation

The vulnerability was patched in curling version 1.1.0. Users should upgrade to this version or later. No workaround is mentioned in the sources, so upgrading is the only recommended course of action. The vulnerability was disclosed and fixed in February 2020 [3].