CVE-2020-7602 – CVE-2020-7602 is a command injection vulnerabil... (How to Fix)

📋 TL;DR

CVE-2020-7602 is a command injection vulnerability in node-prompt-here that allows attackers to execute arbitrary commands on affected systems. The vulnerability exists because user-controlled input is passed directly to execSync() without sanitization. This affects any application using vulnerable versions of the node-prompt-here package.

💻 Affected Systems

Products:

node-prompt-here

Versions: through 1.0.1

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Linux systems as the vulnerable code is in linux/manager.js

📦 What is this software?

Node Prompt Here by Node Prompt Here Project

View all CVEs affecting Node Prompt Here →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with complete control over the host, allowing data theft, ransomware deployment, or use as a foothold for lateral movement.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential privilege escalation.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple command injection with publicly available proof-of-concept

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2

Vendor Advisory: https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115

Restart Required: Yes

Instructions:

1. Update node-prompt-here to version 1.0.2 or later using npm update node-prompt-here
2. Restart any applications using this package
3. Verify the update with npm list node-prompt-here

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for any user-controlled parameters passed to the getDevices() function

Package Removal

all

Remove node-prompt-here if not essential for application functionality

npm uninstall node-prompt-here

🧯 If You Can't Patch

Implement network segmentation to isolate affected systems
Deploy application-level firewalls to monitor and block suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list node-prompt-here to see if version ≤1.0.1 is installed

Check Version:

npm list node-prompt-here | grep node-prompt-here

Verify Fix Applied:

Verify node-prompt-here version is 1.0.2 or higher using npm list node-prompt-here

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns from the node process
Suspicious child process spawns with user-controlled arguments

Network Indicators:

Unexpected outbound connections from the node application
Command and control traffic patterns

SIEM Query:

process.name:node AND process.args:*execSync* AND process.args:*user_input*

📊 Metadata

CVE ID: CVE-2020-7602

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 15, 2020

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7602, you might also want to check these: