CVE-2020-7620

Vulnerability

Overview

pomelo-monitor, a monitoring tool for Node.js applications, is vulnerable to command injection in versions through 0.3.7. The vulnerability exists because user-supplied parameters passed to the pomelo-monitor functions are not properly sanitized, allowing an attacker to inject arbitrary operating system commands [1][2].

Exploitation

An attacker can exploit this vulnerability by providing specially crafted input to the pid or other parameters of the monitoring functions. The Snyk advisory includes a proof-of-concept (PoC) that demonstrates injecting a command via the pid parameter: "pid": "& touch Song " [2]. The attack requires no authentication and can be executed remotely if the application exposes the vulnerable functionality.

Impact

Successful exploitation results in arbitrary command execution with the privileges of the application, leading to full system compromise, data exfiltration, or further lateral movement within the network. The vulnerability is classified with a CVSS base score of 9.8 (Critical) according to NVD metrics [1].

Mitigation

As of the latest advisory, there is no patched version of pomelo-monitor available [2]. Users are advised to avoid using the package or to implement additional input validation and sanitization. Given the critical severity and available PoC, this vulnerability may be a candidate for inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.