Summary
A critical command injection vulnerability exists in the nei package for Node.js (versions prior to 3.8.0), allowing attackers to execute arbitrary operating system commands via unsanitized input in the openBrowser function. This flaw exposes applications to unauthorized system-level actions, compromising server security.
Details
The vulnerability arises from improper sanitization of user-provided input within the openBrowser function in the nei/lib/server/util module. The function directly concatenates unsanitized input into command-line operations without validation or escaping, enabling attackers to inject shell metacharacters (e.g., ;, &, |). This allows execution of arbitrary commands on the server hosting the application. The issue affects all versions of the nei package before 3.8.0. ### Impact This is a CWE-78: Improper Sanitization of Special Elements vulnerability, categorized as a command injection risk. Users running applications dependent on nei@<3.8.0 are impacted. An attacker could exploit this to perform unauthorized actions on the server, such as modifying files, exfiltrating data, or disrupting services, leading to full system compromise. Immediate upgrade to version 3.8.0 or later is recommended. For further details, visit the NEI Toolkit GitHub repository.
Summary
A critical command injection vulnerability exists in the
neipackage for Node.js (versions prior to 3.8.0), allowing attackers to execute arbitrary operating system commands via unsanitized input in theopenBrowserfunction. This flaw exposes applications to unauthorized system-level actions, compromising server security.Details
The vulnerability arises from improper sanitization of user-provided input within the
openBrowserfunction in thenei/lib/server/utilmodule. The function directly concatenates unsanitized input into command-line operations without validation or escaping, enabling attackers to inject shell metacharacters (e.g.,;,&,|). This allows execution of arbitrary commands on the server hosting the application. The issue affects all versions of theneipackage before 3.8.0. ### Impact This is a CWE-78: Improper Sanitization of Special Elements vulnerability, categorized as a command injection risk. Users running applications dependent onnei@<3.8.0are impacted. An attacker could exploit this to perform unauthorized actions on the server, such as modifying files, exfiltrating data, or disrupting services, leading to full system compromise. Immediate upgrade to version 3.8.0 or later is recommended. For further details, visit the NEI Toolkit GitHub repository.