PT-2020-19652 · Npm · Node-Rules

Published

2020-04-27

Updated

2021-12-10

CVE-2020-7609

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions node-rules versions 3.0.0 through 5.0.0

Description The issue allows for the injection of arbitrary commands. This is possible because the argument rules of the function fromJSON() can be controlled by users without any sanitization, enabling potential exploitation.

Recommendations For node-rules versions 3.0.0 through 5.0.0, consider disabling the fromJSON() function until a patch is available to prevent the injection of arbitrary commands. Restrict access to this function to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2020-7609

GHSA-F78F-353M-CF4J

SNYK-JS-NODERULES-560426

Affected Products

Node-Rules

PT-2020-19652 · Npm · Node-Rules

CVE-2020-7609

Weakness Enumeration

Related Identifiers

Affected Products

References · 9