CVE-2023-39015

Vulnerability

Summary

CVE-2023-39015 describes a code injection vulnerability in the webmagic-extension component of the WebMagic web crawler framework, affecting version 0.9.0 and below. The vulnerable class is us.codecraft.webmagic.downloader.PhantomJSDownloader, which accepts a phantomJsCommand string in its constructor without proper validation. This allows an attacker to inject arbitrary commands by passing a crafted string, such as "cmd /c ..." on Windows, directly to the underlying system execution context [3].

Exploitation

The root cause is the lack of input sanitization on the phantomJsCommand parameter. The download method ultimately executes this command, without restricting it to the legitimate PhantomJS binary. Exploitation requires control over the constructor argument, which may be achieved through deserialization, untrusted configuration sources, or other injection points. No authentication is needed if an attacker can supply a crafted PhantomJSDownloader instance – for example, via a malicious request object [3].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the application. This can lead to full system compromise, data exfiltration, or lateral movement within the network. The provided proof-of-concept demonstrates opening multiple calculator windows on Windows, but the same technique can be used for any command [3].

Mitigation

The official suggestion is to remove PhantomJSDownloader.java entirely, as PhantomJS has been unmaintained since 2018. If removal is not feasible, the phantomJsCommand parameter must be strictly validated to ensure it points only to a known PhantomJS executable. No official patch has been released as of the CVE publication date [3].