CVE-2020-7606

The package docker-compose-remote-api (versions up to and including 0.1.4) contains a command injection vulnerability in its exec() function. Inside index.js, the exec(serviceName, cmd, fnStdout, fnStderr, fnExit) function directly uses the serviceName variable in a command context without any sanitization or validation, allowing attacker-controlled input to be interpreted as part of the operating system command [1][2].

Exploitation

An attacker can exploit this by controlling the serviceName argument, for example by passing a string containing shell metacharacters such as an ampersand (&). A proof-of-concept (exec("& touch vulnerable.txt")) demonstrates that arbitrary commands can be appended and executed [2]. No authentication is required if the application exposes this API endpoint untrusted users.

Impact

Successful exploitation allows arbitrary command execution on the host system running the Node.js application. An attacker could compromise the server, exfiltrate data, install malware, or pivot to other systems. The vulnerability is classified as critical due to the high potential impact.

Mitigation

As of the disclosure date (March 2020), no fixed version was available for docker-compose-remote-api [2]. Users of affected versions should upgrade to a patched release if one becomes available, or discontinue use of the package. An alternative is to implement strict input validation to sanitize the serviceName parameter before passing it to the exec function.