CVE-2020-7603

## Vulnerability closure-compiler-stream is a streaming interface for the Closure Compiler. Versions up to and including 0.1.15 are vulnerable to command injection because the options argument passed to the exports function in index.js is not sanitized [1]. An attacker can control the options object to inject arbitrary shell commands.

Exploitation

Exploitation requires the attacker to control the options parameter. Although the package is intended for use in build pipelines (e.g., with Gulp), any application that passes user-controlled data as options is at risk. A proof-of-concept demonstrates that by crafting an options.module array with malicious strings, the injected command ($(touch JHU.txt)) gets executed [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the system running the vulnerable package. This can lead to complete compromise of the host, including data exfiltration, further lateral movement, or installation of malware.

Mitigation

As of the publication date, there is no patched version available for closure-compiler-stream [1][2]. The only mitigation is to avoid using the package with untrusted inputs or to replace it with an alternative that sanitizes options.