Miggo Logo

CVE-2020-7730: Command injection in bestzip

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.91656%
Published
5/6/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
bestzipnpm< 2.1.72.1.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from constructing a system command via string interpolation of user-controlled 'options.source' input passed to child_process.exec(). The pre-patch implementation in nativeZip() concatenated sources into a shell command without proper escaping. The commit 45d4a90 shows the fix: replacing exec() with spawn() and handling arguments as an array via expandSources(), which prevents shell interpretation. The use of exec() with unsanitized input in command strings is a well-known pattern for CWE-78 vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** **stzip ***or* *.*.* *r* vuln*r**l* to *omm*n* Inj**tion vi* t** options p*r*m.

Reasoning

T** vuln*r**ility st*mm** *rom *onstru*tin* * syst*m *omm*n* vi* strin* int*rpol*tion o* us*r-*ontroll** 'options.sour**' input p*ss** to `**il*_pro**ss.*x**()`. T** pr*-p*t** impl*m*nt*tion in `n*tiv*Zip()` *on**t*n*t** sour**s into * s**ll *omm*n*