CVE-2020-7605

Vulnerability

Overview

gulp-tape versions up to and including 1.0.0 are vulnerable to a command injection flaw. The vulnerability stems from the package's failure to properly sanitize user-supplied options, allowing an attacker to inject arbitrary operating system commands through the options object passed to the gulp-tape plugin.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious options object, such as setting the name property to a command string (e.g., "& touch JHU.txt"). The injected commands are then executed when the gulp.src() stream is piped through the vulnerable gulp-tape function. No authentication is required beyond the ability to supply this configuration, typically impacting developers or build pipelines that accept external input for gulp tasks.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the system where the gulp task runs. This can lead to full server compromise, data theft, or lateral movement within the affected environment, as the attacker's commands run with the privileges of the gulp process.

Mitigation

As of the publication date, no patched version of gulp-tape exists. The package appears unmaintained, leaving affected users with no official fix. The recommended mitigation is to stop using the package, replace it with a maintained alternative, or constrain gulp task options to trusted values only.

References: [1], [2].