CVE-2020-7635

The compass-compile package for Node.js versions up to 0.0.1 contains a command injection vulnerability in its compile function. The root cause is that user-controlled options, specifically the compassCommand property, are passed unsanitized to a child process execution, allowing an attacker to inject arbitrary shell commands [1][2].

An attacker can exploit this vulnerability by providing a malicious options object when calling the compile method. No authentication or special privileges are required; the attack vector is through any input source that controls the options argument, such as a file or API parameter [3][4].

Successful exploitation leads to remote code execution with the privileges of the Node.js process. The attacker can execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, or further lateral movement [1][4].

As of the latest disclosure, there is no patched version of compass-compile. Users should avoid using this package or ensure that the options argument is never derived from untrusted sources. The package appears to be unmaintained, and migration to an alternative is recommended [4].