Miggo Logo
Miggo Vulnerability Database
CVE-2020-28435

CVE-2020-28435:
ffmpeg-sdk vulnerable to OS Command Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28435
GHSA ID
GHSA-rwvf-c3wm-qm6w
EPSS Score
0.2722%
CWE
CWE-77
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ffmpeg-sdknpm<= 0.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to line 9 in index.js, which corresponds to the exec() call within the execute function. This function accepts arbitrary command strings and executes them without sanitization, making it a direct OS command injection vector. Functions like clip() and parseAudio() that use execute() inherit this vulnerability when building their command strings with user-controlled parameters (e.g., inputFilePath/outputFilePath), but the root cause is the unsanitized exec() call in execute(). The PoC demonstrates exploitation via execute('touch JHU'), confirming this path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion vuln*r**ility *****ts *ll v*rsions o* p**k*** **mp**-s*k. T** inj**tion point is lo**t** in lin* * in in**x.js.

Reasoning

T** vuln*r**ility is *xpli*itly ti** to lin* * in in**x.js, w*i** *orr*spon*s to t** *x**() **ll wit*in t** *x**ut* *un*tion. T*is *un*tion ****pts *r*itr*ry *omm*n* strin*s *n* *x**ut*s t**m wit*out s*nitiz*tion, m*kin* it * *ir**t OS *omm*n* inj**t