CVE-2019-5413

Vulnerability

The npm package morgan is an HTTP request logger middleware for Node.js. Versions prior to 1.9.1 are vulnerable to a command injection attack through its format parameter. An attacker can inject arbitrary commands by providing a specially crafted string to the format option, which is then passed unsanitized to functions that execute shell commands [1][2][3].

Exploitation

An attacker can exploit this vulnerability by sending a malicious HTTP request that includes a crafted format parameter value. While the typical usage of the format parameter in morgan is for server-side configuration, any user or external actor who can control the format argument (e.g., through an application's API endpoint that passes user input to the morgan format option) can inject arbitrary shell commands. No authentication is required if the vulnerable endpoint is exposed [1][2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the server with the privileges of the Node.js process. This can lead to full server compromise, including data exfiltration, file modification, or further lateral movement within the network [1][2][3].

Mitigation

Users should upgrade morgan to version 1.9.1 or later, which was released on March 25, 2019 and includes a fix for this vulnerability. If upgrading is not immediately possible, users should avoid passing untrusted user input to the format option of morgan [3].