CVE-2019-10801

Vulnerability

Overview

The enpeem package, a lightweight wrapper for accessing npm programmatically, is vulnerable to command injection in versions through 2.2.0. The root cause is that the options.dir argument is passed directly to the exec function without any sanitization [1][3]. This allows an attacker to inject arbitrary operating system commands.

Exploitation

An attacker can exploit this by controlling the options.dir value, for example through a malicious package or user-supplied input. The proof-of-concept provided by JHU System Security Lab demonstrates injecting commands such as & echo vulnerable > create.txt & into the production option, which is then used as options.dir [1]. No authentication is required if the attacker can supply the options object.

Impact

Successful exploitation results in arbitrary command execution on the system running enpeem. This can lead to full compromise of the application and its host environment, including data theft, malware installation, or further lateral movement [1].

Mitigation

As of the advisory, there is no fixed version for enpeem. The repository has been archived and is read-only [3]. Users are advised to avoid using enpeem and migrate to alternative packages that properly sanitize inputs [1].