CVE-2020-7628

Vulnerability

Overview

The umount npm package (versions through 1.1.6) contains a command injection vulnerability in its umount() function. The device argument is passed directly to a shell command without any sanitization or validation, allowing an attacker to inject arbitrary commands [1][2].

Exploitation

Method

An attacker can exploit this by providing a crafted device string that includes shell metacharacters. For example, a proof-of-concept payload such as '" $(touch Song) "' causes the shell to execute the injected command when the umount() function is called [2]. No authentication or special privileges are required; the vulnerability is triggered whenever the application processes user-controlled input as the device parameter.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the system running the vulnerable package. This can lead to full compromise of the application or server, depending on the privileges of the Node.js process [1][2]. The injection point is located in line 52 of build/umount.js in the exported function [2].

Mitigation

As of the advisory date, no fixed version has been released for umount. Users should avoid passing untrusted input to the device parameter, or consider replacing the package with an alternative that properly sanitizes shell arguments [1][2].