docker-compose-remote-api

vulnerability command injection
severity 6.5
language javascript
registry npm

Overview

docker-compose-remote-api is a Connection interface between docker-compose and the Docker Remote API, this package is vulnerable to Command Injection.

Within the index.js file of the package, the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit) uses the variable serviceName which can be controlled by users without any sanitization.

Proof of Concept

var Root = require("docker-compose-remote-api");
var root = Root({cwd:__dirname}).exec("& touch vulnerable.txt");