Miggo Logo
Miggo Vulnerability Database
CVE-2019-10804

CVE-2019-10804: OS Command Injection in serial-number

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10804
GHSA ID
GHSA-3fw4-4h3m-892h
EPSS Score
0.67849%
CWE
CWE-78
Published
4/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
serial-numbernpm<= 1.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the serialNumber function's handling of the 'cmdPrefix' parameter. The code at line 106 (and related exec calls) directly interpolates this user-controlled input into child_process.exec() commands without sanitization. This matches the CWE-78 pattern where untrusted data flows into OS command execution. The advisory explicitly identifies this argument/exec combination as the vulnerability source, and the provided code snippet confirms insecure command construction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

s*ri*l-num**r t*rou** *.*.* *llows *x**ution o* *r*rit*ry *omm*n*s. T** &quot;*m*Pr**ix&quot; *r*um*nt in s*ri*lNum**r *un*tion is us** *y t** &quot;*x**&quot; *un*tion wit*out *ny v*li**tion.

Reasoning

T** vuln*r**ility st*ms *rom t** `s*ri*lNum**r` *un*tion's **n*lin* o* t** '*m*Pr**ix' p*r*m*t*r. T** *o** *t lin* *** (*n* r*l*t** `*x**` **lls) *ir**tly int*rpol*t*s t*is us*r-*ontroll** input into `**il*_pro**ss.*x**()` *omm*n*s wit*out s*nitiz*ti