Command Injection

Vulnerability

Overview

The deferred-exec npm package, a tool for running exec commands using promises, is vulnerable to command injection in all versions. The injection point is located at line 42 in lib/deferred-exec.js [1][3]. The package fails to properly sanitize user-supplied input passed as the first argument to the main function, allowing an attacker to inject arbitrary shell commands.

Exploitation

An attacker can exploit this vulnerability by providing a crafted string as the command argument. No authentication is required, and the attack can be performed remotely if the application passes untrusted input to deferred-exec. The Snyk advisory provides a proof-of-concept: var a = require("deferred-exec"); a(" touch JHU ",{}); [4]. This demonstrates that arbitrary commands can be executed on the host system.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network.

Mitigation

As of the latest information, there is no fixed version available for deferred-exec [4]. The package appears to be unmaintained. Users should avoid using this package and migrate to a maintained alternative. If migration is not immediately possible, ensure that no untrusted input is passed to the package's functions.