Miggo Logo

CVE-2021-23376: Command Injection in ffmpegdotjs

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.68852%
Published
5/6/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ffmpegdotjsnpm<= 0.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies trimvideo as the entry point, and the code shows direct interpolation of user-controlled parameters (start, duration, output) into an exec() call without sanitization. The provided PoC demonstrates successful exploitation through the output parameter. While other functions in index.js also use exec(), only trimvideo is explicitly confirmed vulnerable through advisory details and reproduction evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** **mp***otjs. I* *tt**k*r-*ontroll** us*r input is *iv*n to t** trimvi**o *un*tion, it is possi*l* *or *n *tt**k*r to *x**ut* *r*itr*ry *omm*n*s. T*is is *u* to us* o* t** **il*_pro**ss *x** *un*tion wit*out input

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `trimvi**o` *s t** *ntry point, *n* t** *o** s*ows *ir**t int*rpol*tion o* us*r-*ontroll** p*r*m*t*rs (`st*rt`, `*ur*tion`, `output`) into *n `*x**()` **ll wit*out s*nitiz*tion. T** provi*** Po* *