Local file read and RCE errors have been linked to Express.js and Handlebars usage

A potential remote code execution vulnerability has been uncovered in Node.js apps

A vulnerability in a Node.js web application framework could be exploited to achieve remote code execution (RCE).

Made public by self-described “wannabe” security researcher Shoeb ‘CaptainFreak’ Patel on January 23, the research suggests that Express.js may be susceptible to local file read errors. When combined with an old version of the Handlebars engine, this flaw could also be exploited to remotely execute malicious code.

Handlebars is a popular templating engine for web applications.

Speaking to The Daily Swig, Patel said that he decided to hunt for vulnerabilities in Node.js, Express.js, and Handlebars due to his familiarity with the code as a developer.

‘Dependency hell’

In a technical writeup, Patel said that last week, he “stumbled across” a critical local file read security issue which only required a payload of fewer than 10 lines of code to turn it into a potential RCE exploit.

The developer said they were “surprised and disillusioned” by the bug, laying the blame on ‘dependency hell’ – a common development issue experienced when software relies on conflicting dependencies.

“To be honest, I should not have been that surprised,” Patel said. “The betrayal by in-built modules, dependencies, and packages have been the reason to introduce numerous security bugs. This is a recurring theme in software security.”

Read more of the latest remote code execution security news

To ascertain if his findings were a “known issue” or not, Patel created a Capture the Flag (CTF) competition on Twitter and shared it with associates across web security, CTF competitions, software engineering, and bug bounty groups.

Four participants successfully found the flag, a ‘secret’ layout parameter. Upon further investigation of the odd code in Node.js, Patel found that it was possible to read any file with an extension by reading “from the root views directory + layout, and pass[ing] it to handlebars.compile, which gives us the HTML after compiling the given file which we completely control”.

It is then possible to trigger RCE with certain prerequisites, including the use of Handlebars versions 4.0.3 and below. A vulnerability in these versions permitted prototype pollution and RCE payload creation, as shown in Mahmoud Gamal’s RCE payload for Shopify. This issue has been patched in Handlebars versions 4.1.2, 4.0.14, and later.

Patel says that potential real-world applications include server compromise through RCE, or at the least, information and source code leaks caused by the local file read vulnerability.

“I wrote about it so that the whole NodeJs and web development community [would] know about this quirky behavior in this stack,” Patel commented.

YOU MAY ALSO LIKE Blind TCP/IP hijacking is resurrected for Windows 7