CVE-2020-28429
📋 TL;DR
CVE-2020-28429 is a command injection vulnerability in the geojson2kml npm package that allows attackers to execute arbitrary system commands by passing malicious input. All versions of geojson2kml are affected, putting any application using this package at risk of remote code execution.
💻 Affected Systems
- geojson2kml npm package
📦 What is this software?
Geojson2kml by Geojson2kml Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining shell access, installing malware, exfiltrating data, or pivoting to other systems.
Likely Case
Remote code execution leading to data theft, service disruption, or cryptocurrency mining malware installation.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, potentially only causing denial of service.
🎯 Exploit Status
Proof of concept demonstrates simple command injection using shell metacharacters. Exploitation requires user-controlled input to the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
Restart Required: No
Instructions:
No official patch exists. Remove geojson2kml from your project and use alternative packages or implement custom conversion logic with proper input validation.
🔧 Temporary Workarounds
Remove vulnerable package
allUninstall geojson2kml and replace with alternative solution
npm uninstall geojson2kml
Input validation wrapper
allCreate wrapper function that validates input before passing to geojson2kml
// Implement input validation to reject any input containing shell metacharacters
🧯 If You Can't Patch
- Implement strict input validation to reject any user input containing shell metacharacters (&, |, ;, $, etc.)
- Run application in containerized environment with minimal privileges and network restrictions
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for geojson2kml dependency, or run: npm list geojson2kmlCheck Version:
npm list geojson2kmlVerify Fix Applied:
Verify geojson2kml is no longer in package.json and npm list shows no geojson2kml installation📡 Detection & Monitoring
Log Indicators:
- Unusual system commands executed by Node.js process
- Process spawning unexpected child processes
- Failed command execution attempts with shell metacharacters
Network Indicators:
- Outbound connections from Node.js process to unexpected destinations
- DNS requests for command and control domains
SIEM Query:
process.name:node.exe AND (process.args:*geojson2kml* OR process.args:*cmd.exe* OR process.args:*powershell* OR process.args:*sh*)