CVE-2021-34080

Vulnerability

CVE-2021-34080 is an OS Command Injection vulnerability in the Node.js package ssl-utils version 1.0.0. The flaw resides in the createCertRequest() and createCert() functions, which pass user-supplied input to shell commands without proper sanitization. Attackers can inject arbitrary commands through shell metacharacters (e.g., ;, |, &) provided as part of certificate subject fields or other parameters. The vulnerable package is hosted on npm and GitHub [1] [2].

Exploitation

An attacker must be able to supply crafted input to the vulnerable functions, typically via the subject object (fields like CN, O, etc.) or other arguments passed to createCertRequest or createCert. No authentication is required if the application exposes these functions to user input. The attacker provides a string containing shell metacharacters that, when concatenated into an OpenSSL command line, results in execution of arbitrary OS commands. The exploit does not require any special network position beyond the ability to send input to the application [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the server running the vulnerable Node.js application. This can lead to full compromise of the confidentiality, integrity, and availability of the system, including data exfiltration, installation of backdoors, or denial of service. The impact is critical, with a CVSS score of 9.8 (Critical) if the application uses the library in a context where user input is processed [1] [3].

Mitigation

As of the publication date (2022-06-01), the vulnerability exists in version 1.0.0 and no patched version has been released; the GitHub repository appears unmaintained [2] [3]. Users are strongly advised to avoid using ssl-utils in production or to switch to an alternative SSL utility library that properly sanitizes input. If immediate replacement is not possible, developers must ensure that all user-supplied arguments to createCertRequest and createCert are strictly validated and sanitized to remove shell metacharacters. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.