Miggo Logo
Miggo Vulnerability Database
CVE-2020-7645

CVE-2020-7645: chrome-launcher subject to OS Command Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7645
GHSA ID
GHSA-gp2j-mg4w-2rh5
EPSS Score
0.68049%
CWE
CWE-78
Published
5/24/2022
Updated
9/6/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
chrome-launchernpm< 0.13.20.13.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized use of environment variables in regular expression construction. The chrome-finder.ts file's path resolution logic directly interpolated $HOME into regex patterns without escaping special characters. This allowed command injection via environment variable manipulation, as shown in the Snyk PoC where $HOME contains malicious commands. The GitHub PR #197 specifically addresses this by adding regex escaping for environment variables, confirming these functions were the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**rom*-l*un***r prior to *.**.* is su*j**t to OS *omm*n* Inj**tion vi* t** `$*OM*` *nvironm*nt v*ri**l* in Linux op*r*tin* syst*ms. T*is issu* is p*t**** in v*rsion *.**.*.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us* o* *nvironm*nt v*ri**l*s in r**ul*r *xpr*ssion *onstru*tion. T** `**rom*-*in**r.ts` *il*'s p*t* r*solution lo*i* *ir**tly int*rpol*t** $*OM* into r***x p*tt*rns wit*out *s**pin* sp**i*l ***r**t*rs. T*is *l