CVE-2022-25962

Vulnerability

Overview The package vagrant.js, a Node.js wrapper for Vagrant, is vulnerable to command injection in the boxAdd function. The vulnerability stems from improper input sanitization of parameters passed to this function, specifically the box name and URL arguments [1]. This affects all versions of the package.

Exploitation and

Attack Vector An attacker can exploit this vulnerability by providing specially crafted input to the boxAdd function that includes arbitrary shell commands. The proof of concept demonstrates injection via the box name parameter: vagrant.boxAdd(";touch EXPLOITED;#", "", callback) [3]. No authentication is required if an attacker can control the input passed to this function, which could occur through user-supplied data in applications that use vagrant.js and expose this functionality.

Impact

The vulnerability allows an attacker to execute arbitrary commands on the system running the vulnerable package with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or denial of service. The CVSS base score is not provided in the references, but the nature of command injection typically results in high severity.

Mitigation and

Status As of the disclosure date (December 2022) and publication date (January 2023), there is no fixed version available for vagrant.js [3]. The package appears to be maintained on GitHub [2], but no patch has been released. Users should consider stopping usage of the package or implementing strict input validation and sanitization as a workaround, or migrating to alternative solutions that securely wrap Vagrant commands.