CVE-2020-7596

Vulnerability

Overview

CVE-2020-7596 is a command injection vulnerability in the Codecov npm module, versions before 3.6.2. The issue resides in the lib/codecov.js file, where the value provided for the gcov-args option is passed unsanitized to the exec function [3]. This lack of input validation allows an attacker to inject arbitrary shell commands.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious gcov-args string containing command separators such as &. The Snyk advisory provides a proof-of-concept demonstrating that an argument like "& touch PWNED &" leads to execution of the injected command [3]. The vulnerability is triggered when the Node.js codecov uploader processes coverage report options, requiring the attacker to control the gcov-args parameter. This could happen if an attacker is able to influence the coverage configuration, for example via a compromised CI/CD pipeline or a malicious dependency.

Impact

Successful exploitation allows remote attackers to execute arbitrary commands on the system running the vulnerable codecov module. The impact is complete compromise of the confidentiality, integrity, and availability of the affected environment, as the injected commands run with the privileges of the codecov process [1][3].

Mitigation

The vulnerability is fixed in codecov version 3.6.2 and later [3]. Users are strongly advised to upgrade immediately. As of February 1, 2022, the codecov-node uploader is deprecated and no longer supported [2], so migrating to the Codecov CLI uploader is recommended.