CVE-2019-10788 – CVE-2019-10788 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2019-10788?

CVE-2019-10788 has a CVSS score of 9.8 (CRITICAL). CVE-2019-10788 is a critical command injection vulnerability in the im-metadata npm package that allows remote attackers to execute arbitrary commands on affected systems. Attackers can inject malicious commands through the metadata options parameter, which gets passed to the exec() function. This affects any application using vulnerable versions of im-metadata.

📋 TL;DR

CVE-2019-10788 is a critical command injection vulnerability in the im-metadata npm package that allows remote attackers to execute arbitrary commands on affected systems. Attackers can inject malicious commands through the metadata options parameter, which gets passed to the exec() function. This affects any application using vulnerable versions of im-metadata.

💻 Affected Systems

Products:

im-metadata npm package

Versions: All versions through 3.0.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses im-metadata with user-controlled input for metadata options is vulnerable.

📦 What is this software?

Im Metadata by Dnt

View all CVEs affecting Im Metadata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, pivot to other systems, or establish persistent backdoors.

🟠

Likely Case

Remote command execution leading to data theft, service disruption, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though command injection would still be possible.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing applications particularly vulnerable.

🏢 Internal Only: HIGH - Even internal applications are vulnerable to authenticated or unauthenticated attacks depending on implementation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it involves simple command injection. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2 and later

Vendor Advisory: https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639

Restart Required: Yes

Instructions:

1. Update package.json to require im-metadata version 3.0.2 or later. 2. Run 'npm update im-metadata' or 'yarn upgrade im-metadata'. 3. Restart your application to load the patched version.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject any metadata options containing shell metacharacters or suspicious patterns.

// JavaScript example: validate metadata options before passing to im-metadata
function sanitizeMetadata(options) {
  const dangerousChars = /[;&|`$(){}[\]<>]/;
  if (dangerousChars.test(options)) {
    throw new Error('Invalid metadata options');
  }
  return options;
}

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs passed to im-metadata functions.
Run the application with minimal privileges and in a sandboxed/containerized environment to limit potential damage.

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for im-metadata version. If version is 3.0.1 or earlier, the system is vulnerable.

Check Version:

npm list im-metadata | grep im-metadata

Verify Fix Applied:

Verify that im-metadata version is 3.0.2 or later in package.json and that npm list shows the updated version.

📡 Detection & Monitoring

Log Indicators:

Unusual process executions from Node.js applications
Commands with shell metacharacters in application logs
Unexpected child process spawns

Network Indicators:

Outbound connections to suspicious IPs from Node.js processes
Unexpected data exfiltration patterns

SIEM Query:

process.name:node AND (process.args:*cmd.exe* OR process.args:*sh* OR process.args:*bash* OR process.args:*powershell*)

📊 Metadata

CVE ID: CVE-2019-10788

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 4, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184 Exploit,Patch,Third Party Advisory
https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10788, you might also want to check these: