CVE-2023-26127

Root

Cause

CVE-2023-26127 describes a command injection vulnerability in the npm package n158. The flaw exists in the module.exports function, which fails to properly sanitize user-supplied input before passing it to system commands. This allows an attacker to inject arbitrary operating system commands, similar to other command injection flaws in Node.js utilities [1][4].

Exploitation

To exploit this vulnerability, an attacker must be able to execute Node.js code within the target environment, indicating a prerequisite of some level of access to the system or application hosting the Node.js runtime [1][4]. The Snyk advisory includes a proof-of-concept (PoC) command: node node_modules/n158/bin/index.js init --name ".';touch EXPLOITED;#" [4]. This PoC demonstrates that passing a crafted string to the --name argument of the init subcommand can achieve command execution, as the injected command (touch EXPLOITED) is executed on the host system.

Impact

Successful exploitation enables an attacker to execute arbitrary operating system commands with the privileges of the Node.js process, which could lead to data exfiltration, system compromise, or lateral movement within the network [4]. The vulnerability affects all versions of the n158 package, making widespread exploitation possible if the package is used in a context where an unprivileged user can trigger the vulnerable functionality.

Mitigation

As of the advisory publication date, there is no fix available for the n158 package. The maintainer's repository indicates no patched version has been released [2][3][4]. Users are advised to consider replacing n158 with an alternative package that is actively maintained, or to restrict access to the Node.js environment to prevent untrusted code execution. Given the lack of a patch, this may be considered for inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog if active exploitation is observed.