CVE-2020-7614

Vulnerability

Overview npm-programmatic is a Node.js library that provides programmatic access to npm commands. Affected versions through 0.0.12 are vulnerable to command injection because user-supplied packages and option properties are concatenated directly into a command string without any validation or sanitization, and are then passed to the exec function [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious package name or option value containing shell metacharacters, such as command separators or backticks. For example, the Proof of Concept in the Snyk advisory shows that injecting & echo vulnerable > create.txt & as a package name causes the exec function to execute the injected command as part of the npm call [1]. No authentication is required if an attacker can control the input to the library.

Impact

Successful exploitation allows an attacker to execute arbitrary shell commands on the system where the vulnerable library is used. This can lead to complete compromise of the host, including data exfiltration, installation of malware, or lateral movement within the network.

Mitigation

Status As of the disclosure date, no fixed version of npm-programmatic has been released [1]. The only current mitigation is to avoid using the library and replace it with a safer alternative, or to ensure that all input passed to the library is strictly validated and sanitized before use.