Miggo Logo
Miggo Vulnerability Database
CVE-2019-10787

CVE-2019-10787:
OS Command Injection in im-resize

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10787
GHSA ID
GHSA-r9vm-rhmf-7hxx
EPSS Score
0.86815%
CWE
CWE-78
Published
4/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
im-resizenpm<= 2.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the main exported function in index.js that:

  1. Takes user-controlled 'image' input
  2. Builds a command string (cmd) using this input
  3. Passes it directly to exec() without sanitization
  4. The commit diff shows they later added input validation regex checks for special characters, confirming the original lack of sanitization
  5. CWE-78 classification directly matches unsanitized OS command execution patterns
  6. Multiple sources confirm the 'cmd' argument was user-controlled and unsanitized

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

im-r*siz* t*rou** *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* t** "*x**" *r*um*nt. T** *m* *r*um*nt us** wit*in in**x.js, **n ** *ontroll** *y us*r wit*out *ny s*nitiz*tion.

Reasoning

T** vuln*r**ility st*ms *rom t** m*in *xport** *un*tion in in**x.js t**t: *. T*k*s us*r-*ontroll** 'im***' input *. *uil*s * *omm*n* strin* (*m*) usin* t*is input *. P*ss*s it *ir**tly to *x**() wit*out s*nitiz*tion *. T** *ommit *i** s*ows t**y l*t