Command Injection

Vulnerability

Overview

The connection-tester npm package prior to version 0.2.1 is vulnerable to command injection. The injection point is located at line 15 in index.js, where user-supplied host and port values are passed unsanitized to a system command. This allows an attacker to inject arbitrary shell commands through the host or port parameters [1].

Attack

Vector

The vulnerability is exploitable by providing a malicious host or port string to the testConnection function. No authentication is required, and the attack can be carried out remotely if the application passes user-controlled input to this function. The following PoC demonstrates the vulnerability (as per the CVE description):

// Example: host = "$(whoami)" or port = "80;id"

Actual command execution occurs when the package constructs a shell command using exec or similar without proper escaping, enabling arbitrary command execution on the server [2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network.

Mitigation

The vulnerability is fixed in version 0.2.1. Users should upgrade immediately. The fix introduces validation for host and port inputs as demonstrated in the pull request [1]. As of this writing, no CVE lists this as exploited in the wild, but given the low complexity and high impact, immediate patching is recommended.