CVE-2020-7602

Vulnerability

Overview

CVE-2020-7602 is a command injection vulnerability in the npm package node-prompt-here through version 1.0.1. The flaw resides in the runCommand() function within linux/manager.js, which is invoked by getDevices(). The function uses process.env.NM_CLI to construct an argument passed to execSync() without any sanitization or validation, allowing an attacker to control the injected command [1][2].

Attack

Vector and Prerequisites

The attacker does not need authentication; they can exploit the vulnerability by setting the NM_CLI environment variable to a malicious value before loading the module. The proof-of-concept provided by Snyk demonstrates that by assigning a command string to process.env.NM_CLI (e.g., 'echo vulnerable > create.txt & nmcli'), and then calling root.getDevices(), arbitrary commands are executed. This attack surface is particularly dangerous in server-side Node.js applications where environment variables may be controlled by user input or external sources [2].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, installation of malware, or lateral movement within the infrastructure. The vulnerability is classified as critical due to the lack of authentication requirements and the potential for remote exploitation in affected deployments [1][2].

Mitigation

Status

As of the last disclosure (March 2020), no patched version of node-prompt-here has been released. The package appears to be unmaintained, and users are advised to avoid using it in production environments. If continued use is necessary, strict control over environment variables and input sanitization must be enforced, though this is not a recommended long-term solution [2].