修复版本
0.1.5
CVE-2019-15597 is a critical Command Injection vulnerability affecting versions of the node-df package up to 0.1.4. This vulnerability allows attackers to execute arbitrary commands on the server by manipulating filenames passed to the file option. Currently, no official fix is available, requiring users to implement mitigation strategies to reduce risk.
The vulnerability stems from a lack of proper sanitization of filenames provided to the file option within the node-df package. An attacker who can control this filename input can inject arbitrary commands that will be executed by the server's operating system. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The blast radius is significant, potentially impacting any application relying on node-df with user-controlled input influencing the file parameter.
CVE-2019-15597 was publicly disclosed on February 14, 2020. While no active exploitation campaigns have been definitively linked to this vulnerability, the critical severity and ease of exploitation make it a potential target. The lack of a patch increases the risk. No KEV listing is present as of this writing.
Applications built on Node.js that utilize the node-df package and allow user-controlled input to influence the file option are at significant risk. This includes applications that process user-uploaded files or handle file system operations based on user requests. Shared hosting environments where multiple applications share the same server are particularly vulnerable.
• nodejs / server:
find /usr/local/lib/node_modules -name "node-df*" -type d -print0 | xargs -0 grep -i 'file = process.argv[2]' • nodejs / server:
npm list node-df | grep -i vulnerable• generic web:
Inspect application code for any usage of node-df where user-supplied input is used to construct filenames passed to the file option.
disclosure
漏洞利用状态
EPSS
3.75% (88% 百分位)
CVSS 向量
Since no official fix is currently available, mitigation strategies are crucial. The primary approach is to avoid using node-df entirely if possible, opting for alternative packages that do not exhibit this vulnerability. If node-df is essential, strictly validate and sanitize any user-provided input used in the file option. Implement robust input validation to prevent command injection attempts. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. Until a fix is released, carefully review and restrict access to the server running applications using node-df.
Actualice el paquete node-df a una versión posterior a la 0.1.4 que corrija la vulnerabilidad de inyección de código. Consulte las notas de la versión o el repositorio del proyecto para obtener más detalles sobre la solución.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-15597 is a critical vulnerability in node-df versions up to 0.1.4 that allows attackers to execute arbitrary commands on the server due to insufficient filename sanitization.
You are affected if your Node.js application uses node-df version 0.1.4 or earlier and allows user-controlled input to influence the file option.
Currently, no official fix is available. Mitigate by avoiding node-df, sanitizing user input, and using a WAF.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
The vulnerability is documented on the National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2019-15597