Miggo Logo

CVE-2013-7381: Potential Command Injection in libnotify

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.82902%
Published
8/31/2020
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
libnotifynpm<= 1.0.31.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of child_process.exec with unsanitized user input in the notify() function. The pre-patch code (<=1.0.3) builds a command string by joining arguments including user-controlled input (msg and options.title) with spaces, then executes via exec(). This allows shell metacharacters in user input to break out of the intended command. The fix in 1.0.4 replaces exec() with execFile(), which avoids shell interpretation by passing arguments as an array. The commit diff clearly shows the vulnerable pattern: constructing args array with quoted user input, then executing via exec(args.join(' ')).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.*.* *n* **rli*r o* li*noti*y *r* *****t** *y * s**ll *omm*n* inj**tion vuln*r**ility. T*is m*y r*sult in *x**ution o* *r*itr*ry s**ll *omm*n*s, i* us*r input is p*ss** into li*noti*y.noti*y. Untrust** input p*ss** in t** **ll to li*noti*y

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `**il*_pro**ss.*x**` wit* uns*nitiz** us*r input in t** `noti*y()` *un*tion. T** pr*-p*t** *o** (<=*.*.*) *uil*s * *omm*n* strin* *y joinin* *r*um*nts in*lu*in* us*r-*ontroll** input (`ms*` *n* `options.titl*`)