CVE-2019-10796

The rpi library, a Node.js package for controlling Raspberry Pi GPIO pins, contains a command injection vulnerability in versions up to 0.0.3. The GPIO function in src/lib/gpio.js passes the pinNumber parameter directly to the exec() function without any sanitization, allowing an attacker to inject arbitrary shell commands [1][2][3].

Exploitation requires control over the pinNumber argument, which may be supplied via user input or external data. A proof-of-concept from JHU System Security Lab demonstrates that passing a string such as ';touch vulnerable.txt;' as the pin number results in command execution [3]. No authentication is needed if the application exposes this parameter to untrusted sources.

Successful exploitation enables arbitrary command execution on the system running the rpi library, potentially leading to full compromise of the Raspberry Pi device, data exfiltration, or further lateral movement [1][3].

As of the advisory, no patched version of the rpi package exists. Users are advised to avoid using the library or to implement strict input validation and sanitization for any parameters passed to the GPIO function. The vulnerability is tracked as SNYK-JS-RPI-548942 [3].