CVE-2020-7631

Description

The diskusage-ng npm package (versions < 1.0.0) suffers from a command injection vulnerability. The path argument passed to the library is processed without any sanitization, enabling an attacker to inject arbitrary shell commands. The issue originates in the lib/posix.js file, where user-supplied input is directly used in a system command [1][2][3].

Exploitation

An attacker can exploit this flaw by providing a specially crafted string as the path argument. For example, a proof-of-concept shown in the advisory uses "&touch Song" as part of the path array to execute the touch Song command. No authentication is required, as the attack surface is the application’s input that passes user-controlled data to the vulnerable function [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to data exfiltration, system compromise, or lateral movement within the network [1].

Mitigation

The vulnerability has been fixed in version 1.0.0 of diskusage-ng. Users should upgrade immediately. No workarounds are documented [1].