CVE-2022-29080
📋 TL;DR
The npm-dependency-versions package through version 0.3.0 contains a command injection vulnerability that allows attackers to execute arbitrary shell commands on the system. This affects any Node.js application that uses this package and calls the vulnerable dependencyVersions function with user-controlled input. Attackers can achieve remote code execution if they can influence the JSON input to the function.
💻 Affected Systems
- npm-dependency-versions
📦 What is this software?
Npm Dependency Versions by Npm Dependency Versions Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the server, allowing data theft, ransomware deployment, or use as a pivot point for lateral movement.
Likely Case
Remote code execution leading to application compromise, data exfiltration, or cryptocurrency mining malware installation.
If Mitigated
Limited impact if proper input validation and sanitization are implemented, or if the vulnerable function isn't exposed to untrusted inputs.
🎯 Exploit Status
Exploitation requires the vulnerable function to be called with attacker-controlled input. The CVSS 9.8 score indicates critical severity with low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 0.3.1 or later
Vendor Advisory: https://github.com/barneycarroll/npm-dependency-versions/issues/6
Restart Required: Yes
Instructions:
1. Update package.json to specify 'npm-dependency-versions': '^0.3.1' 2. Run 'npm update npm-dependency-versions' 3. Restart your Node.js application 4. Verify the update with 'npm list npm-dependency-versions'
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject any JSON containing shell metacharacters in the pkgs parameter values.
// JavaScript example: Validate input before calling dependencyVersions
function sanitizeInput(input) {
const shellMetacharacters = /[;&|`$(){}[\]<>]/;
if (shellMetacharacters.test(JSON.stringify(input.pkgs))) {
throw new Error('Invalid input: shell metacharacters detected');
}
return input;
}
🧯 If You Can't Patch
- Remove or disable usage of the npm-dependency-versions package entirely from your application
- Implement network segmentation and strict firewall rules to limit the attack surface of affected systems
🔍 How to Verify
Check if Vulnerable:
Check your package.json or package-lock.json for npm-dependency-versions version <=0.3.0Check Version:
npm list npm-dependency-versions | grep npm-dependency-versionsVerify Fix Applied:
Run 'npm list npm-dependency-versions' and verify version is 0.3.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands executed from Node.js processes
- Unexpected child process spawns from the application
- Error logs showing shell metacharacters in dependencyVersions calls
Network Indicators:
- Outbound connections to suspicious IPs or domains from the Node.js process
- Unexpected data exfiltration patterns
SIEM Query:
process.name: 'node' AND (process.args: '*dependencyVersions*' OR process.parent.args: '*dependencyVersions*')