Command Injection

Vulnerability

Overview

The freediskspace npm package, in all versions, contains a command injection vulnerability stemming from improper neutralization of arguments in line 71 of freediskspace.js [1][2]. The package fails to sanitize user-supplied input before passing it to a system command, allowing an attacker to inject arbitrary shell commands.

Exploitation

An attacker can exploit this vulnerability by providing a crafted argument to the freediskspace function. No authentication is required if the application exposes this function to untrusted input, such as through a web API or command-line interface. The attacker only needs to control the argument value that is passed to the vulnerable line [2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network [2].

Mitigation

As of the publication date, there is no patched version of freediskspace available [2]. The only mitigation is to avoid using the package or to ensure that any input passed to it is strictly validated and sanitized before use. The vulnerability is listed in the Snyk database and has been assigned a CVSS score [1].