Command Injection

Vulnerability

Overview

CVE-2020-28447 affects all versions of the npm package xopen, which provides a Promise-based API to open files with the default system application. The vulnerability is a command injection flaw located in line 14 of index.js in the exported function xopen(filepath) [1][2]. The package fails to sanitize the filepath input before passing it to a shell command, allowing an attacker to inject arbitrary OS commands.

Exploitation

An attacker can exploit this vulnerability by supplying a malicious filepath string containing shell metacharacters. For example, the proof of concept provided by Snyk uses var attack_code = "& touch JHU"; to execute the touch command [4]. No authentication is required; any application that uses xopen with user-controlled input is at risk. The attack surface is broad, as xopen is designed to open files from Node.js on Windows, macOS, and Linux.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the calling Node.js process. This can lead to data exfiltration, malware installation, or full system compromise.

Mitigation

As of the publication date, there is no fixed version available for xopen [4]. The package appears to be unmaintained. Affected users should immediately stop using xopen and migrate to alternative packages that safely handle file opening, such as open or opn, or implement proper input sanitization and validation for any user-supplied file paths.