9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2013-7381

GHSA ID

GHSA-6898-wx94-8jq8

EPSS Score

0.82902%

CWE

CWE-74

Published

8/31/2020

Updated

9/8/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-7381

CVE-2013-7381: Potential Command Injection in libnotify

Versions 1.0.3 and earlier of libnotify are affected by a shell command injection vulnerability. This may result in execution of arbitrary shell commands, if user input is passed into libnotify.notify.

Untrusted input passed in the call to libnotify.notify could result in execution of shell commands. Callers may be unaware of this.

Example

var libnotify = require('libnotify')
libnotify.notify('UNTRUSTED INPUT', { title: \"\" }, function () {
    console.log(arguments);
})

Special thanks to Neal Poole for submitting the pull request to fix this issue.

Recommendation

Update to version 1.0.4 or greater

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2013-7381

GHSA ID

GHSA-6898-wx94-8jq8

EPSS Score

0.82902%

CWE

CWE-74

Published

8/31/2020

Updated

9/8/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libnotify	npm	<= 1.0.3	1.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of child_process.exec with unsanitized user input in the notify() function. The pre-patch code (<=1.0.3) builds a command string by joining arguments including user-controlled input (msg and options.title) with spaces, then executes via exec(). This allows shell metacharacters in user input to break out of the intended command. The fix in 1.0.4 replaces exec() with execFile(), which avoids shell interpretation by passing arguments as an array. The commit diff clearly shows the vulnerable pattern: constructing args array with quoted user input, then executing via exec(args.join(' ')).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.*.* *n* **rli*r o* li*noti*y *r* *****t** *y * s**ll *omm*n* inj**tion vuln*r**ility. T*is m*y r*sult in *x**ution o* *r*itr*ry s**ll *omm*n*s, i* us*r input is p*ss** into li*noti*y.noti*y. Untrust** input p*ss** in t** **ll to li*noti*y

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `**il*_pro**ss.*x**` wit* uns*nitiz** us*r input in t** `noti*y()` *un*tion. T** pr*-p*t** *o** (<=*.*.*) *uil*s * *omm*n* strin* *y joinin* *r*um*nts in*lu*in* us*r-*ontroll** input (`ms*` *n* `options.titl*`)

9.8

Basic Information

Concerned about an active attack path?

CVE-2013-7381: Potential Command Injection in libnotify

Example

Recommendation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI