CVE-2020-7775
📋 TL;DR
CVE-2020-7775 is a critical OS command injection vulnerability in the freediskspace npm package. Attackers can execute arbitrary commands on affected systems by injecting malicious arguments. All applications using freediskspace are vulnerable.
💻 Affected Systems
- freediskspace npm package
📦 What is this software?
Freediskproject by Freediskspace Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Arbitrary command execution with the privileges of the application using freediskspace, potentially leading to data theft or service disruption.
If Mitigated
Limited impact if application runs with minimal privileges and proper input validation is implemented.
🎯 Exploit Status
Exploitation is straightforward when user input reaches the vulnerable function without proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.2
Vendor Advisory: https://snyk.io/vuln/SNYK-JS-FREEDISKSPACE-1040716
Restart Required: No
Instructions:
1. Update package.json to specify 'freediskspace': '^3.0.2'. 2. Run 'npm update freediskspace'. 3. Test application functionality.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation to prevent command injection before passing arguments to freediskspace.
Remove Package
allIf freediskspace functionality is not essential, remove the package entirely.
npm uninstall freediskspace
🧯 If You Can't Patch
- Run application with minimal privileges (non-root user)
- Implement network segmentation to limit potential lateral movement
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for freediskspace version below 3.0.2Check Version:
npm list freediskspaceVerify Fix Applied:
Verify freediskspace version is 3.0.2 or higher using 'npm list freediskspace'📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns
- Unexpected child process spawns from Node.js application
Network Indicators:
- Unexpected outbound connections from application server
SIEM Query:
process.name:node AND process.args:*freediskspace* AND process.args:*;* OR process.args:*&* OR process.args:*|*