CVE-2020-7645

Vulnerability

Overview

The chrome-launcher npm package, used to programmatically launch Google Chrome from Node.js, is vulnerable to command injection in all versions prior to 0.13.2 [1][3]. The root cause is that the package constructs regular expressions using the unsanitized $HOME environment variable without escaping shell or regex metacharacters [4]. This allows an attacker who can control the $HOME environment variable to inject arbitrary commands that are executed when chrome-launcher attempts to locate a Chrome binary [3].

Exploitation

To exploit this vulnerability, an attacker must be able to set the $HOME environment variable for the process running chrome-launcher. This could occur in containerized environments, CI/CD pipelines, or shared hosting where environment variables are controllable [2]. The exploit does not require authentication beyond the ability to modify $HOME. The attacker includes shell metacharacters (e.g., &, ;, |) within the $HOME value; when the library uses this value in a shell command or regex, the injected commands are executed [3]. A proof-of-concept demonstrates this by appending '& touch malicious_file &' to the $HOME path [3].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This can lead to full compromise of the application environment, including data exfiltration, installation of malware, or lateral movement [2][3]. The vulnerability is classified as critical (CVSS 9.8) due to the low attack complexity and high impact on confidentiality, integrity, and availability [3].

Mitigation

The vulnerability was fixed in chrome-launcher version 0.13.2, released in December 2019 [3]. Users should upgrade to this version or later. The fix sanitizes environment variables used in regular expressions, preventing injection of metacharacters [4]. No workaround is available for affected versions; upgrading is strongly recommended.