CVE-2020-7632

Vulnerability

Analysis

The node-mpv npm package (versions 0.12.2 through 1.4.3) contains a command injection vulnerability in its lib/util.js file [1][2]. The root cause is that the options argument passed to the mpv wrapper is not sanitized before being used to construct a shell command. Instead of passing arguments safely as separate elements, the library concatenates user-controlled values directly into a command string, which is then executed by the system shell.

Exploitation

An attacker can exploit this vulnerability by providing a malicious options object when creating an instance of the mpv wrapper. For example, setting the binary property to a string like " $(touch JHU) " will cause the shell to interpret the injected command after the sub-shell expansion [3]. No authentication is required, as the vulnerability is triggered within Node.js code that processes untrusted input, typically from a web request, file, or configuration. The attack vector is remote in scenarios where user-supplied options are forwarded to this package.

Impact

Successful exploitation allows arbitrary command execution on the host system with the privileges of the Node.js process. An attacker could potentially read sensitive files, launch reverse shells, install malware, or pivot to other internal systems. The CVSS score of 9.8 (Critical) reflects the low complexity and network-based attack vector with no privileges required and no user interaction needed [1].

Mitigation

As of the latest disclosure, there is no fixed version available for node-mpv [3]. The package has not released a patch, and it may be abandoned. Users of this library should immediately stop using it and migrate to an alternative solution that properly sanitizes or safely constructs shell commands. If continuation is unavoidable, ensure that no untrusted user input is passed to the options argument, and consider running the Node.js process in a sandboxed environment with minimal privileges.