CVE-2021-34083

Vulnerability

Google-it is a Node.js package that allows users to send search queries to Google and receive JSON results. In versions up to and including 1.6.2, the 'Open in browser' option (enabled via the --open CLI flag or programmatic use) constructs a shell command by directly concatenating the result's link from Google without sanitization. This occurs in the code at src/googleIt.js line 34 and lib/googleIt.js line 59 [3][4]. An attacker who can influence the search results (e.g., through SEO poisoning or controlling a linked site) can inject arbitrary shell commands via the crafted link.

Exploitation

An attacker needs to make a malicious search result appear in Google's output that targets an instance using google-it with the 'Open in browser' feature. The attacker does not require authentication but must be able to control the content of a search result link. When a user or automated script runs google-it with the --open flag, the unsanitized link is passed to a shell execution function (likely exec or spawn with shell), leading to arbitrary command injection. No user interaction beyond initiating the search and open action is required [1].

Impact

Successful exploitation results in remote code execution (RCE) on the server or client running google-it. The attacker gains the same privileges as the process executing the library, potentially leading to full system compromise, data exfiltration, or further lateral movement [1].

Mitigation

As of the available references, no official patched version has been released for this vulnerability. The only mitigation is to avoid using the 'Open in browser' feature by not passing the --open flag or setting the corresponding programmatic option to false. Alternatively, users may consider not using the google-it package altogether until a fix is available [1][2].