CVE-2022-29080

Vulnerability

The npm-dependency-versions package through version 0.3.0 for Node.js allows command injection. The vulnerability exists in the package's exported dependencyVersions function, which fails to sanitize user-controlled input in the pkgs parameter before passing it to a command execution API. An attacker who can call dependencyVersions with a crafted JSON object where pkgs is a key containing shell metacharacters can inject arbitrary commands [1][3].

Exploitation

An attacker needs the ability to provide a JSON object with a pkgs key whose value contains shell metacharacters (e.g., `; ` ). A proof-of-concept demonstrates that calling dependencyVersions({"pkgs":["touch rce"]})` results in command execution [3]. No special network position or authentication is required if the attacker can supply the input to the function.

Impact

Successful exploitation results in arbitrary command execution on the system running the Node.js application that uses the vulnerable version of the npm-dependency-versions package. The attacker gains the privileges of the application process, potentially leading to full system compromise, data exfiltration, or further lateral movement.

Mitigation

As of the available references, no patched version has been released. The last version affected is 0.3.0 [1][2]. Users should avoid using the npm-dependency-versions package or ensure that untrusted input is never passed to the dependencyVersions function. No workaround is provided by the vendor, and the package does not appear to be actively maintained. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.