Miggo Logo
Miggo Vulnerability Database
CVE-2020-7678

CVE-2020-7678: node-import `params` argument can be controlled by users without any sanitization

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7678
GHSA ID
GHSA-pc62-cq5x-3j5g
EPSS Score
0.60592%
CWE
-
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-importnpm<= 0.9.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly states the 'params' argument of the module function is passed to eval() in line 79 of index.js. Multiple sources (GitHub Advisory, NVD, Snyk) confirm this pattern matches a classic eval injection vulnerability where user-controlled input flows directly into code execution without sanitization. The provided PoC demonstrates how crafted params can execute arbitrary code through this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** no**-import. T** `p*r*ms` *r*um*nt o* mo*ul* *un*tion **n ** *ontroll** *y us*rs wit*out *ny s*nitiz*tion. T*is is t**n provi*** to t** “*v*l” *un*tion lo**t** in lin* ** in t** in**x *il* `in**x.js`.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly st*t*s t** 'p*r*ms' *r*um*nt o* t** mo*ul* *un*tion is p*ss** to *v*l() in lin* ** o* in**x.js. Multipl* sour**s (*it*u* **visory, NV*, Snyk) *on*irm t*is p*tt*rn m*t***s * *l*ssi* *v*l inj**tion vuln*r**ili