CVE-2025-57282

Root

Cause

The ngrok npm package versions 4.3.3 and 5.0.0-beta.2 contain a command injection flaw. The vulnerability stems from the getVersion() function, which accepts a binPath option expected to be a function returning a file path. An attacker can supply a maliciously crafted binPath to return arbitrary shell commands instead of a path, enabling code execution [1].

Attack

Vector

Exploitation requires the ability to pass a specially crafted options object to ngrok.getVersion(). The proof-of-concept demonstrates that by setting binPath to a function that returns something like "touch Dremig486; #", the injected shell command is executed when the library resolves the binary path. No authentication is needed; any application or script that uses the vulnerable ngrok API with attacker-controlled options is exposed [1].

Impact

Impact

A successful injection allows the attacker to execute arbitrary commands in the context of the Node.js process running the ngrok package. This can lead to file creation, data exfiltration, privilege escalation, or further compromise of the host system. The PoC specifically shows creating a file in the current directory, but the impact extends to any shell command [1].

Mitigation

Status

As of the publication date, no official patch has been released. The vulnerability affects both the latest stable channel version (4.3.3) and the beta version (5.0.0-beta.2). Users should avoid passing untrusted input to the getVersion() function's options and monitor upstream for a fixed release that fixes the injection [1