CVE-2022-25890

Vulnerability

Overview The wifey npm package, in all versions, contains a command injection vulnerability in its connect() function. This arises from improper sanitization of user-provided input, specifically the SSID parameter, which is passed to a system command without adequate validation [1][2].

Exploitation

An attacker can exploit this vulnerability by supplying a crafted SSID string containing shell metacharacters. The provided proof-of-concept demonstrates that a value like "';touch EXPLOITED;#" results in arbitrary command execution on the host system [2]. No authentication is required beyond the ability to call the connect() function, making the attack surface broad for any application using this package. The vulnerable function is typically invoked with user-controlled data.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the process running the wifey package. This can lead to complete compromise of the application and underlying system, including data exfiltration, installation of malware, or further lateral movement [2].

Mitigation

Status As of the publication date, there is no fixed version available for wifey [2]. The package remains vulnerable in all releases. Users should consider replacing the package with an alternative that performs proper input sanitization or avoid using wifey in production environments.