Command Injection Vulnerability in @easy-team/easywebpack Prior to Version 4.2.8 #93
Description
Summary
A critical command injection vulnerability (CWE-78) exists in versions of the @easy-team/easywebpack package prior to 4.2.8. The install function in the utils/install module insecurely handles user-supplied input in the npm parameter, allowing attackers to execute arbitrary operating system commands. This vulnerability enables remote code execution (RCE) in the context of the affected application, posing a severe security risk.
Details
The vulnerability arises from insufficient validation and sanitization of the npm parameter passed to the install function. When processing this parameter, the module constructs system commands without properly neutralizing malicious input. Attackers can exploit this flaw by providing a specially crafted value for the npm argument, which gets executed as part of a system command. This issue affects the package's installation utility, which is commonly used during project setup or dependency management workflows.
The vulnerability was fixed in version 4.2.8 by implementing strict input validation and sanitization for the npm parameter, preventing unauthorized command execution.
Impact
This vulnerability (CWE-78) impacts all users of @easy-team/easywebpack versions prior to 4.2.8. Successful exploitation could allow attackers to:
- Execute arbitrary OS commands on the target system
- Gain unauthorized access to the affected application or underlying infrastructure
- Modify critical files or exfiltrate sensitive data
- Compromise the integrity of the build process in development environments
Applications using this package in production or CI/CD pipelines are particularly at risk, as attackers could exploit this flaw to escalate privileges or pivot to other systems within the network.#