Arbitrary Code Execution

Vulnerability

Overview

CVE-2020-7738 affects all versions of the shiba npm package, which is a live Markdown previewer with a linter [2]. The vulnerability is rooted in the package's use of the load() function from the js-yaml library instead of the secure alternative safeLoad() [1]. The load() function in js-yaml can deserialize arbitrary YAML types, which can lead to code execution if the input contains a crafted payload.

Exploitation and

Likelihood

To exploit this vulnerability, an attacker would need to provide a maliciously crafted YAML file that shiba processes. Since shiba is a live previewer, this could occur when a user opens a specially crafted Markdown file containing a dangerous YAML front matter block [2]. No authentication is required beyond the user's action of opening the file. The attack surface is the YAML parsing functionality triggered by the Markdown preview.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the system running shiba. This provides full control over the application context and could lead to data theft, malware installation, or further lateral movement within the victim's environment.

Mitigation

Status

As of the publication date, there is no fixed version available for the shiba package [2]. Users are advised to consider replacing shiba with an alternative Markdown previewer or to avoid processing untrusted YAML content with shiba altogether. The vulnerability is straightforward to fix in the source code by replacing load() with safeLoad(), but the package maintainer has not released a patch.