CVE-2022-25906

Vulnerability

Overview

The is-http2 npm package (all versions) contains a command injection vulnerability in its isH2 function [1]. The root cause is the lack of input sanitization or validation when handling user-supplied options, specifically the openssl parameter [2]. The function constructs a command string using this value without proper escaping, and then executes it through a shell [1].

Exploitation

An attacker can exploit this by providing a malicious string for the openssl option when calling isHttp2(url, { openssl: "malicious input" }). No authentication is required as the package is intended for use in Node.js applications where the attacker controls the options passed to the function [3]. The isH2 function uses exec or similar to run the OpenSSL command, and inadequate sandboxing or checks allow the injected commands to be executed [4].

Impact

Successful exploitation allows an attacker to execute arbitrary system commands with the privileges of the Node.js process. This can lead to full compromise of the application and the underlying system, including data theft, lateral movement, or further attacks [4].

Mitigation

As confirmed by Snyk, there is no patched version available for this package [4]. Users are advised to avoid using the package altogether or to implement strict input validation for any options passed to the isH2 function if they must continue using it [3].