CVE-2023-27848

broccoli-compass v0.2.4 is a Sass-compass plugin for Broccoli that is vulnerable to arbitrary command injection (CWE-77). The vulnerability arises because the child_process exec function is called without sanitizing user-supplied filenames passed through the files option. When a filename containing shell metacharacters is included, the exec function interprets them as commands, leading to remote code execution (RCE) [1][2].

An attacker can exploit this by providing a specially crafted filename to an application that uses broccoli-compass as a dependency. The exploit requires no authentication beyond the ability to influence the list of files processed by the plugin — for example, via user uploads or configuration inputs. The proof-of-concept demonstrates that a filename like $(touch success);# results in the execution of the embedded command [2].

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full system compromise, including data exfiltration, malware installation, or lateral movement within the network. The vulnerability is classified as high severity due to the remote code execution impact [1].

As of the advisory publication (April 2023), no patched version is available for broccoli-compass v0.2.4. Users should avoid passing unsanitized filenames to the plugin or consider replacing it with an actively maintained alternative. The project repository shows no recent activity, suggesting it may be abandoned [2].