CVE-2021-26275
📋 TL;DR
The eslint-fixer package for Node.js contains a command injection vulnerability that allows attackers to execute arbitrary commands on the host system by injecting shell metacharacters into the fix function. This affects all users of eslint-fixer versions 0.1.5 and earlier. The package is no longer maintained and its repository has been intentionally deleted.
💻 Affected Systems
- eslint-fixer
📦 What is this software?
Eslint Fixer by Eslint Fixer Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with the privileges of the Node.js process, potentially leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Remote code execution leading to unauthorized access, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, restricting command execution to safe operations only.
🎯 Exploit Status
Exploitation requires user-controlled input to the vulnerable fix function. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://advisory.checkmarx.net/advisory/CX-2021-4774
Restart Required: No
Instructions:
1. Remove eslint-fixer from your project dependencies. 2. Update package.json to remove eslint-fixer. 3. Run npm uninstall eslint-fixer. 4. Use alternative packages like eslint with proper security controls.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject any input containing shell metacharacters before passing to the fix function.
// JavaScript example: if (/[;&|`$(){}[\]<>]/g.test(userInput)) { throw new Error('Invalid input'); }
Replace with Secure Alternative
allReplace eslint-fixer with the official eslint package which doesn't have this vulnerability.
npm uninstall eslint-fixer
npm install eslint --save-dev
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using eslint-fixer from critical infrastructure
- Deploy application-level firewalls to monitor and block suspicious command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules for eslint-fixer version 0.1.5 or earlierCheck Version:
npm list eslint-fixerVerify Fix Applied:
Confirm eslint-fixer is no longer in package.json or node_modules directory📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns from Node.js processes
- Shell metacharacters in application logs
- Unexpected child process spawns
Network Indicators:
- Outbound connections to suspicious IPs from Node.js processes
- Unexpected data exfiltration patterns
SIEM Query:
process.name:node AND cmdline:*eslint-fixer* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|* OR cmdline:*`*)