CVE-2020-7607

Vulnerability

Overview

The gulp-styledocco plugin for Gulp (versions through 0.0.3) contains a command injection vulnerability in its index.js file. The options parameter passed to the exports function is not sanitized before being used, allowing an attacker to inject arbitrary commands [1][2].

Exploitation

An attacker can exploit this by crafting a malicious options object. For example, setting the name property to a string containing shell metacharacters (e.g., 123"& touch Vulnerable& ") triggers command execution when the plugin processes the file stream [1]. No authentication or special privileges are required; the attack can be performed by any user who can control the options passed to the plugin, such as in a build pipeline where user-supplied configuration is used.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the Gulp process. This can lead to full system compromise, data exfiltration, or further lateral movement within the build environment [1][2].

Mitigation

As of the advisory publication date (March 2020), no fixed version of gulp-styledocco is available. Users are advised to avoid using this package or to ensure that user-supplied data is not passed as options to the plugin. Alternative plugins that provide similar functionality without the vulnerability should be considered [1].