Command Injection

Vulnerability

Overview

The corenlp-js-interface npm package is vulnerable to command injection in its main function. All versions of this deprecated package are affected. The vulnerability stems from insufficient sanitization of user-supplied input passed to the main function, which is then executed as a system command. [1][2]

Exploitation

An attacker can exploit this by providing a specially crafted string as an argument to the main function. The proof-of-concept demonstrates that passing a string containing shell metacharacters (e.g., ') touch JHU # ') results in arbitrary command execution. No authentication is required, and the attack can be mounted from any context where the package is used. [2]

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This could lead to full system compromise, data exfiltration, or further lateral movement within the infrastructure. [2]

Mitigation

There is no fix available for this vulnerability, and the package is deprecated. The only recommended mitigation is to remove the package from any projects and migrate to an alternative library that provides similar functionality without the security risk. [1][2]