Arbitrary Command Injection Affecting codem-transcode package, versions <0.5.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:codem-transcode:20130707
- published 7 Jul 2013
- disclosed 7 Jul 2013
- credit Neal Poole
How to fix?
Either turn off the ffprobe
functionality or upgrade to (at least) version 0.5.0
, which address this issue by using execFile
instead of exec
.
Overview
The codem-transcode
package supports a feature (off by default) to interact with a local ffprobe
. When enabled, POST requests to /probe
trigger the execution of the local ffprobe
binary, with the provided parameters.
This execution is done using exec
, allowing piped requests, and therefore enabling remote command execution. Newer versions use execFile
instead, preventing such injection (though still giving attackers to whatever functionality ffprobe
supports, and any weaknesses in it).
Note that, by default, the package only listens for such requests from the local network interface, greatly reducing the likelihood of exploitation.