CVE-2019-10804

The serial-number package through version 1.3.0 contains a command injection vulnerability. The cmdPrefix argument in the serialNumber function is passed directly to Node's exec() function without any validation or sanitization [1]. The vulnerable code path can be seen in the module's source on GitHub [3].

An attacker can exploit this by providing a malicious string as the second argument to serialNumber(). The proof-of-concept provided by JHU System Security Lab shows that passing a string containing injected commands will cause them to be executed on the system [1]. No special authentication is required if the attacker can control the input to this function.

Successful exploitation allows arbitrary command execution on the host system with the privileges of the Node.js process. This could lead to a full system compromise depending on the context where the module is used. The impact is classified as critical by NVD with a CVSS v3.1 base score of 9.8 [2].

As of the publication date, no fix is available for the serial-number package. The recommended mitigation is to avoid using the vulnerable cmdPrefix parameter or to switch to an alternative module that does not have this vulnerability [1].