CVE-2020-7778: OS Command Injection in systeminformation
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77092%
CWE
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
systeminformation | npm | < 4.30.2 | 4.30.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from prototype pollution affecting string processing functions used in OS command construction. Key functions identified:
- inetChecksite - Directly processes user-controlled URLs passed to curl
- sanitizeShellString - Core sanitation method vulnerable to String prototype overrides
- Network/process functions - Interface with system commands using unsafely sanitized inputs Patches show added prototype pollution checks (isPrototypePolluted) and safer character-by-character sanitization, confirming these were vulnerable entry points. Runtime exploitation would show these functions processing malicious inputs before command execution.