CVE-2020-7615

Vulnerability

Overview

The fsa (File System Auditor) npm package, through version 0.5.1, contains a command injection vulnerability in the execGitCommand() function within lib/rep.js. The first argument to this function is a user-controlled parameter that is passed directly to child_process.exec() without any sanitization, allowing an attacker to inject arbitrary shell commands [1][2].

Exploitation

Details

The injection point is at line 63 of lib/rep.js, as confirmed by the official advisory and Snyk vulnerability database [1][2]. A proof-of-concept demonstrates that an attacker can pass a string containing shell metacharacters (e.g., &) as the first argument, causing the injected command to be executed by the underlying shell. No authentication is required if the application exposes this function to user input, and the attack surface is any code path that calls execGitCommand() with unsanitized data [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This could lead to complete compromise of the application server, including data theft, installation of malware, or pivoting to internal network resources. Since the package is intended for auditing file systems, a malicious actor could use this to disrupt monitoring or escalate privileges.

Mitigation

As of the advisory date, there is no patched version of fsa available [2]. Users are advised to avoid using the vulnerable package, or if necessary, to ensure that the first argument to execGitCommand() is never derived from untrusted input. Alternatively, the package should be replaced with a maintained alternative.