CVE-2021-34084

Vulnerability

The vulnerability is an OS command injection flaw in the metadata() function of the s3-uploader npm package (versions through 2.0.3) [1][2]. The package is used for resizing, renaming, and uploading images to Amazon S3. The metadata() function does not properly sanitize user-supplied input, allowing an attacker to inject arbitrary operating system commands [3]. No specific configuration or special conditions are required for the code path to be reachable; any user who can invoke metadata() with untrusted data is at risk.

Exploitation

An attacker needs only the ability to supply input to the metadata() function, typically via file upload metadata or API parameters [2][3]. The attacker crafts a malicious string containing shell command delimiters (e.g., backticks, $(), or semicolons) which, when passed to the underlying system call, results in arbitrary command execution. No authentication or privileged network position is required beyond normal access to the functionality.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the host running the Node.js application. This leads to full compromise of the server, including potential data exfiltration, installation of backdoors, or lateral movement within the network. The impact is severe (CVSS base score likely high) and affects the confidentiality, integrity, and availability of the system.

Mitigation

As of the publication date (2022-06-01), no patched version has been released for this vulnerability [1][3]. The affected versions are through 2.0.3, and the repository does not indicate a subsequent fix. Users should immediately avoid passing untrusted input to the metadata() function and consider switching to an alternative library or implementing strict input validation and sanitization. If the package is no longer maintained, replacing it entirely is recommended.