Miggo Logo

CVE-2020-7609:
Code Injection in node-rules

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.65538%
Published
12/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-rulesnpm>= 3.0.0, < 5.0.05.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the fromJSON function's unsafe handling of user input. The commit diff shows this function used eval() on raw user-controlled strings from JSON input to recreate function objects. As eval() executes any arbitrary code in the input strings, and the function accepted user-controlled rules argument without validation, this creates a code injection vector. Multiple sources (CVE, GHSA, Snyk, and the patch commit) explicitly identify fromJSON as the vulnerable entry point that was removed in the patched version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

no**-rul*s in*lu*in* *.*.* *n* prior to *.*.* *llows inj**tion o* *r*itr*ry *omm*n*s. T** *r*um*nt rul*s o* *un*tion "*romJSON()" **n ** *ontroll** *y us*rs wit*out *ny s*nitiz*tion.

Reasoning

T** vuln*r**ility st*ms *rom t** `*romJSON` *un*tion's uns*** **n*lin* o* us*r input. T** *ommit *i** s*ows t*is *un*tion us** `*v*l()` on r*w us*r-*ontroll** strin*s *rom JSON input to r**r**t* *un*tion o*j**ts. *s `*v*l()` *x**ut*s *ny *r*itr*ry *o