CVE-2020-28439
📋 TL;DR
CVE-2020-28439 is a critical OS command injection vulnerability in the corenlp-js-prefab npm package that allows attackers to execute arbitrary commands on affected systems. All versions of this package are vulnerable due to improper input sanitization in the index.js file. Any application using this package for natural language processing is at risk.
💻 Affected Systems
- corenlp-js-prefab
📦 What is this software?
Corenlp Js Prefab by Corenlp Js Prefab Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing remote code execution, data exfiltration, lateral movement, and complete control of the affected server.
Likely Case
Remote code execution leading to data theft, cryptocurrency mining, or deployment of additional malware payloads.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially only affecting the application's own data.
🎯 Exploit Status
Proof of concept available in vulnerability disclosure. Simple command injection via user-controlled input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to corenlp-js-interface 1.0.2 or later
Vendor Advisory: https://snyk.io/vuln/SNYK-JS-CORENLPJSPREFAB-1050434
Restart Required: Yes
Instructions:
1. Update corenlp-js-interface dependency to version 1.0.2 or later. 2. Run 'npm update corenlp-js-interface'. 3. Restart your application. 4. Verify no vulnerable versions remain with 'npm list corenlp-js-interface'.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and sanitization for all user inputs passed to corenlp-js-prefab functions.
Remove Package
allTemporarily remove corenlp-js-prefab from your application until patched.
npm uninstall corenlp-js-prefab
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Deploy application-level firewalls with command injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check package.json for corenlp-js-prefab dependency and run 'npm list corenlp-js-interface' to check version.Check Version:
npm list corenlp-js-interfaceVerify Fix Applied:
Verify corenlp-js-interface version is 1.0.2 or later with 'npm list corenlp-js-interface' and test with safe input.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in application logs
- Error messages containing shell commands
- Unexpected process spawns from Node.js application
Network Indicators:
- Outbound connections to suspicious IPs from application server
- Unexpected DNS queries for command and control domains
SIEM Query:
process.name:node AND (cmdline:*cmd.exe* OR cmdline:*sh* OR cmdline:*bash*) AND NOT user:root