CVE-2023-26128

The package keep-module-latest is vulnerable to command injection in all versions due to insufficient input sanitization in the installModule function. The function does not validate or sanitize the moduleName parameter before passing it to a command execution context, enabling injection of arbitrary commands [1][3].

To exploit the vulnerability, an attacker must have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js runtime. The injection occurs via the moduleName parameter, as demonstrated in the proof-of-concept: root({"moduleName":"& touch JHU"}) [3].

Successful exploitation allows an attacker to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network.

As of the publication date, there is no fixed version available for keep-module-latest. The only mitigation is to avoid using the package or to ensure that untrusted users cannot control the moduleName parameter [3].