CVE-2020-7646
Description
curlrequest through 1.0.1 allows arbitrary file read via the file parameter, enabling directory traversal and information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
curlrequest through 1.0.1 allows arbitrary file read via the file parameter, enabling directory traversal and information disclosure.
CVE-2020-7646 affects the curlrequest npm package (versions through 1.0.1), which is a Node.js wrapper for the curl command-line tool. The vulnerability exists because the file option, intended for file uploads, is passed directly to the curl command without validation. This allows an attacker to supply an arbitrary file path, which curl then reads and returns the contents. The root cause is insufficient sanitization of user-controlled input in the file parameter [1][2].
Exploitation is straightforward: an attacker provides the file parameter with a path to a sensitive file, such as /etc/passwd. No authentication is required; the attack can be performed remotely if the application using curlrequest accepts user input for this parameter. According to the Snyk advisory, a proof-of-concept demonstrates reading /etc/passwd by simply setting { file: "/etc/passwd" } in the request options [3].
The impact is high because the attacker can read any file on the filesystem that the Node.js process has access to. This includes configuration files, source code, and other sensitive data. The Common Vulnerability Scoring System (CVSS) base score for this vulnerability is 9.1, indicating critical severity [2].
No patched version of curlrequest exists; the package appears to be unmaintained. The recommended mitigation is to avoid using the file parameter with untrusted input or to switch to a different library. As of the publication date, no workaround has been provided by the maintainer [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
curlrequestnpm | <= 1.0.1 | — |
Affected products
2- curlrequest/curlrequestdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `file` parameter is passed unsanitized to the shell command `curl(1)`, allowing arbitrary file reads via path traversal or absolute paths."
Attack vector
An attacker can read arbitrary files on the system by supplying a file path (e.g., `/etc/passwd`) or a path traversal sequence (e.g., `../../etc/passwd`) as the `file` option when calling `curl.request()`. The library passes this user-controlled value directly to the shell command `curl(1)`, which interprets it as a file to read, resulting in arbitrary file read [CWE-78][ref_id=2]. No authentication or special network position is required; the attacker only needs to control the `file` parameter.
Affected code
The vulnerability resides in the `curlrequest` package (versions through 1.0.1), specifically in the `index.js` file around line 239, where the `file` parameter is passed directly to the underlying `curl(1)` command without sanitization [ref_id=1][ref_id=2].
What the fix does
No fix has been published for `curlrequest` [ref_id=2]. The advisory recommends avoiding the package or not passing user input to the `file` parameter. A proper fix would require sanitizing or validating the `file` option to prevent shell metacharacters and path traversal sequences from being injected into the `curl(1)` command.
Preconditions
- inputAttacker must be able to supply the `file` parameter to `curl.request()` (e.g., via user input to an application using the library).
- authNo authentication or network access restrictions are required beyond the ability to influence the `file` option.
Reproduction
```javascript var curl = require("curlrequest"); let userPayload = "/etc/passwd"; curl.request({ file: userPayload }, function (err, stdout, meta) { console.log("%s %s", meta.cmd, meta.args.join(" ")); }); ``` [ref_id=2]
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m8xj-5v73-3hh8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7646ghsaADVISORY
- github.com/node-js-libs/curlrequest/blob/master/index.jsmitrex_refsource_MISC
- github.com/node-js-libs/curlrequest/blob/master/index.jsghsaWEB
- snyk.io/vuln/SNYK-JS-CURLREQUEST-568274ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.