CVE-2020-7601

Vulnerability

Overview

The gulp-scss-lint package through version 1.0.0 is vulnerable to command injection. The flaw resides in the src/command.js file, where user-controlled options are passed unsafely to the exec function without proper sanitization or validation. This allows an attacker to inject arbitrary shell commands through specially crafted input provided to the plugin's options.

Exploitation

To exploit this vulnerability, an attacker can supply a malicious src option as demonstrated in a proof-of-concept from the JHU System Security Lab [1][2]. When the package processes this option, it passes the injected string directly to exec, enabling execution of arbitrary system commands. No authentication or special privileges are required; the attacker only needs to control the options passed to gulp-scss-lint.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the system running the vulnerable gulp-scss-lint version. This can lead to severe consequences, including data exfiltration, malware installation, or full system compromise, depending on the privileges of the process executing the package.

Mitigation

A fix has been pushed to the master branch of the repository but was not yet published in a release as of disclosure [2]. Users are advised to avoid using the vulnerable version (1.0.0 or earlier) and monitor the package for an official patched release. No workaround is available other than not passing untrusted input to the options.