skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
April 13, 2021

GHSL-2020-373: Command injection in node-notifier

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

node-notifier recently addressed a command injection vulnerability in https://github.com/advisories/GHSA-5fw9-fq32-wv5p, however this fix appears to be insufficient and command injection through malicious input is still possible.

Product

Tested Version

8.0.1

Details

node-notifier is a general purpose library for showing OS notifications (toasts). A client of the library expects that they can safely call the methods in node-notifier with user-controlled inputs. However, in some cases, that can lead to arbitrary command execution.

Issue 1: Insufficient input sanitization leads to command injection

Certain input fields of node-notifier are insufficiently sanitized and allow for command injection when passed as command line arguments.

The provided PoC pretends to be a client that sends malicious inputs to node-notifier.

The outcome of the PoC is that a file exploit is created in the current working directory.

var notifier = new Notify({ suppressOsdCheck: true }); var options = { title: “titl”, message: “msg”, “app-name”: [“footouch exploit”] //”category”: [“footouch exploit”] }; notifier.notify(options, () => {}); ```

Impact

Arbitrary command execution

Resources

Credit

This issue was discovered and reported by GitHub team member @erik-krogh.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-373 in any communication regarding this issue.