CVE-2021-26541 – CVE-2021-26541 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-26541?

CVE-2021-26541 has a CVSS score of 9.8 (CRITICAL). CVE-2021-26541 is a command injection vulnerability in the gitlog npm package that allows attackers to execute arbitrary commands on the host system. This affects applications using vulnerable versions of gitlog to process git log data. The vulnerability is particularly dangerous because it can be exploited through user-controlled input.

📋 TL;DR

CVE-2021-26541 is a command injection vulnerability in the gitlog npm package that allows attackers to execute arbitrary commands on the host system. This affects applications using vulnerable versions of gitlog to process git log data. The vulnerability is particularly dangerous because it can be exploited through user-controlled input.

💻 Affected Systems

Products:

gitlog npm package

Versions: All versions before 4.0.4

Operating Systems: All platforms where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the gitlog function in src/index.ts when processing user-controlled options.

📦 What is this software?

Gitlog by Gitlog Project

View all CVEs affecting Gitlog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Arbitrary command execution in the context of the application, potentially leading to data theft, system modification, or service disruption.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially only affecting the application's own data.

🌐 Internet-Facing: HIGH if the vulnerable function processes user-supplied input from web interfaces or APIs.

🏢 Internal Only: MEDIUM if the function is only used internally with controlled inputs, but still poses risk from insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the vulnerable function to process attacker-controlled input. The fix in PR #65 demonstrates the exploit pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.4 and later

Vendor Advisory: https://github.com/domharrington/node-gitlog/pull/65

Restart Required: Yes

Instructions:

1. Update package.json to require gitlog version 4.0.4 or higher. 2. Run 'npm update gitlog' or 'yarn upgrade gitlog'. 3. Restart the application to load the patched version.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all parameters passed to gitlog function

Sandbox execution

linux

Run the application in a container or with limited privileges to restrict command execution impact

docker run --read-only --cap-drop=ALL -u nobody node-app

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs passed to gitlog
Run the application with minimal privileges and in a sandboxed environment

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list gitlog' to see if version is below 4.0.4

Check Version:

npm list gitlog | grep gitlog

Verify Fix Applied:

Verify gitlog version is 4.0.4 or higher with 'npm list gitlog' and test with known malicious inputs

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Git operations with suspicious parameters
Process spawning from Node.js with unexpected arguments

Network Indicators:

Outbound connections from Node.js process to unexpected destinations
Data exfiltration patterns

SIEM Query:

process.name:node AND cmdline:*git* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|*)

📊 Metadata

CVE ID: CVE-2021-26541

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

https://advisory.checkmarx.net/advisory/CX-2020-4301 Exploit,Third Party Advisory
https://github.com/domharrington/node-gitlog/pull/65 Patch,Third Party Advisory
https://www.npmjs.com/package/gitlog Product,Third Party Advisory
https://advisory.checkmarx.net/advisory/CX-2020-4301 Exploit,Third Party Advisory
https://github.com/domharrington/node-gitlog/pull/65 Patch,Third Party Advisory
https://www.npmjs.com/package/gitlog Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26541, you might also want to check these: