Vulnerability impacts standard-version utility, which is used by more than 20,000 projects

The GitHub security team discovered a bug in a popular Node.js changelog library, standard-verion

A recently discovered bug allows hackers to execute shell commands in several node.js repositories, including the popular standard-version changelog utility, which is used by more than 20,000 projects, the GitHub Security Lab discovered last week.

In cases where standard-version’s releaseCommitMessageFormat parameter is provided with a user-controlled input, a malicious actor can manipulate the program’s flow to run arbitrary shell commands on the application server, a published proof-of-concept shows.

GitHub flagged the vulnerability as “moderate”. A spokesperson for GitHub Security Lab told The Daily Swig: “It is hard to create a complete exploit for this vulnerability, because it is a library function that is vulnerable.

“A complete exploit requires that some client uses that specific library function with user-controlled inputs.”

GitHub sent an alert to all the open source projects depending on standard-version to update to the fixed version (8.0.1). 

Command-line injection

The bug was discovered while the team working on CodeQL, GitHub’s semantic code security analysis tool, was developing a new query to detect similar bugs.

“The query modeled a dangerous code pattern that could end in a command-line injection vulnerability,” the spokesperson for GitHub Security Lab said.

“While researching this issue, we noticed roughly 15 other security issues that all followed the same pattern of: ‘library API that accidentally allows for remote code execution’.

“Sometimes due to lack of documentation or best practices, dangerous patterns are repeated over different codebases.”

READ MORE Unpatched regex bug leaves Node.js apps open to ReDoS attacks

After running the query on around 115,000 open source projects, GitHub Security Lab uncovered similar vulnerabilities in other libraries, including git-diff-apply, mversion, node-dns-sync, and others.

GitHub notified project maintainers to update their code.

“One of the objectives of the CodeQL team is to identify those patterns and build queries, to prevent developers from ever introducing that vulnerability again,” the spokesperson said.

Developers can use tools like GitHub code scanning to run security checks as they develop their repositories and automate security within the developer workflow.

“Developers can dive into the details of where issues lie in their code to retrieve more information on the vulnerability early on in the life cycle,” the GitHub Security Lab spokesperson added.

“Also, always try to keep your dependencies updated and be very careful while constructing shell commands using string-concatenation.”

RECOMMENDED The complete package: Everything you need to know about npm security