PT-2020-21163 — OS Command Injection in Node Require-Node

PT-2020-21163 · Node · Require-Node

Published

2020-09-03

Updated

2020-09-03

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions require-node versions prior to 1.3.4 for 1.x require-node versions prior to 2.0.4 for 2.x

Description The issue allows for Arbitrary Code Execution due to the failure to sanitize requests to the require-node endpoint. This enables attackers to execute arbitrary code in the server by injecting OS commands in the request body.

Recommendations

If you are using 1.x, upgrade to version 1.3.4 or later.
If you are using 2.x, upgrade to version 2.0.4 or later.

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

GHSA-8J6J-4H2C-C65P

Affected Products

Require-Node

PT-2020-21163 · Node · Require-Node

Weakness Enumeration

Related Identifiers

Affected Products

References · 2