CVE-2019-5485
📋 TL;DR
CVE-2019-5485 is a critical command injection vulnerability in the gitlabhook NPM package that allows attackers to execute arbitrary commands on the server by injecting malicious payloads through the repository name parameter. This affects any system using gitlabhook version 0.0.17 to handle GitLab webhooks, potentially leading to complete system compromise.
💻 Affected Systems
- gitlabhook
📦 What is this software?
Gitlabhook by Gitlabhook Project
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system takeover, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote command execution allowing attackers to run arbitrary commands with the privileges of the gitlabhook process, potentially gaining shell access.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, restricting command execution to safe operations.
🎯 Exploit Status
Exploitation is trivial with publicly available proof-of-concept code showing command injection through repository name parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.18 and later
Vendor Advisory: https://www.npmjs.com/advisories/1490
Restart Required: Yes
Instructions:
1. Update gitlabhook package: npm update gitlabhook
2. Verify version is 0.0.18 or higher: npm list gitlabhook
3. Restart any services using gitlabhook
4. Test webhook functionality
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation to reject repository names containing shell metacharacters
// JavaScript example: if (repoName.match(/[;&|`$()\n]/)) { rejectRequest(); }
Network Isolation
linuxRestrict webhook endpoint access to trusted IP ranges only
// Use firewall rules: iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP
🧯 If You Can't Patch
- Immediately disable or remove gitlabhook 0.0.17 from production systems
- Implement network segmentation to isolate systems using vulnerable gitlabhook version
🔍 How to Verify
Check if Vulnerable:
Check package.json or run: npm list gitlabhook | grep gitlabhookCheck Version:
npm list gitlabhookVerify Fix Applied:
Confirm version is 0.0.18+: npm list gitlabhook | grep 'gitlabhook@0.0.1[8-9]\|gitlabhook@[1-9]'📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Webhook requests with shell metacharacters in repository field
- Process spawning from gitlabhook with unusual arguments
Network Indicators:
- HTTP POST requests to webhook endpoints containing shell metacharacters
- Outbound connections from gitlabhook process to unexpected destinations
SIEM Query:
source="application.log" "gitlabhook" AND ("&";"|";"`";"$";"(";")")