Platform
nodejs
Component
logkitty
Fixed in
0.7.2
0.7.1
CVE-2020-8149 is a critical vulnerability affecting the logkitty npm package. This vulnerability stems from a lack of output sanitization, enabling an attacker to execute arbitrary shell commands. It impacts Node.js projects utilizing the logkitty package versions prior to 0.7.1. A fix has been released in version 0.7.1.
The lack of output sanitization in logkitty allows attackers to inject and execute arbitrary shell commands on the system where the package is running. This can lead to complete system compromise, including data exfiltration, malware installation, and denial of service. Attackers could potentially gain persistent access to the system by establishing a backdoor. The blast radius extends to any application or service relying on the vulnerable logkitty package, potentially impacting sensitive data and critical infrastructure.
This vulnerability gained significant attention due to its ease of exploitation and potential for widespread impact. Public proof-of-concept exploits were quickly developed and shared, increasing the risk of malicious actors leveraging this flaw. While active exploitation campaigns are not definitively confirmed, the vulnerability's severity and readily available exploits suggest a high probability of exploitation. It was disclosed on 2020-06-05.
Exploit Status
EPSS
2.04% (84% percentile)
CVSS Vector
The primary mitigation for CVE-2020-8149 is to immediately upgrade the logkitty package to version 0.7.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating the affected application or service and implementing stricter input validation to prevent malicious commands from reaching the logkitty package. Review your application's logging configuration to ensure no sensitive information is being passed to logkitty that could be exploited. After upgrading, confirm the fix by attempting to inject a benign command through the logging mechanism and verifying that it is not executed.
Update the logkitty package to version 0.7.1 or higher. This will fix the output sanitization vulnerability that allows arbitrary command execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-8149 is a critical vulnerability in the logkitty npm package allowing attackers to execute arbitrary shell commands due to insufficient output sanitization. This impacts Node.js applications using versions prior to 0.7.1.
You are affected if your Node.js project uses the logkitty package in a version earlier than 0.7.1. Check your package.json file to determine your current version.
Upgrade the logkitty package to version 0.7.1 or later using npm: npm install logkitty@latest.
While confirmed active exploitation is not publicly documented, the vulnerability's severity and readily available proof-of-concept exploits suggest a high probability of exploitation.
Refer to the npm advisory for CVE-2020-8149: https://www.npmjs.com/advisories/1237
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.